diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..23fcbccc --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,27 @@ +--- +name: Bug report +about: Create a report to help us improve +title: "[BUG]" +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..bbcbbe7d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..3f3d19f4 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,23 @@ + +# Overview/Summary + +Replace this with a brief description of what this Pull Request fixes, changes, etc. + +## This PR fixes/adds/changes/removes + +1. *Replace me* +2. *Replace me* +3. *Replace me* + +### Breaking Changes + +1. *Replace me* +2. *Replace me* + +## Testing Evidence + +Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate). + +# Documentation + +Related wiki link or design document, if applicable. diff --git a/.gitignore b/.gitignore index 8a30d258..24ad4da6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,398 +1,27 @@ -## Ignore Visual Studio temporary files, build results, and -## files generated by popular Visual Studio add-ons. -## -## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore - -# User-specific files -*.rsuser -*.suo -*.user -*.userosscache -*.sln.docstates - -# User-specific files (MonoDevelop/Xamarin Studio) -*.userprefs - -# Mono auto generated files -mono_crash.* - -# Build results -[Dd]ebug/ -[Dd]ebugPublic/ -[Rr]elease/ -[Rr]eleases/ -x64/ -x86/ -[Ww][Ii][Nn]32/ -[Aa][Rr][Mm]/ -[Aa][Rr][Mm]64/ -bld/ -[Bb]in/ -[Oo]bj/ -[Ll]og/ -[Ll]ogs/ - -# Visual Studio 2015/2017 cache/options directory -.vs/ -# Uncomment if you have tasks that create the project's static files in wwwroot -#wwwroot/ - -# Visual Studio 2017 auto generated files -Generated\ Files/ - -# MSTest test Results -[Tt]est[Rr]esult*/ -[Bb]uild[Ll]og.* - -# NUnit -*.VisualState.xml -TestResult.xml -nunit-*.xml - -# Build Results of an ATL Project -[Dd]ebugPS/ -[Rr]eleasePS/ -dlldata.c - -# Benchmark Results -BenchmarkDotNet.Artifacts/ - -# .NET Core -project.lock.json -project.fragment.lock.json -artifacts/ - -# ASP.NET Scaffolding -ScaffoldingReadMe.txt - -# StyleCop -StyleCopReport.xml - -# Files built by Visual Studio -*_i.c -*_p.c -*_h.h -*.ilk -*.meta -*.obj -*.iobj -*.pch -*.pdb -*.ipdb -*.pgc -*.pgd -*.rsp -*.sbr -*.tlb -*.tli -*.tlh -*.tmp -*.tmp_proj -*_wpftmp.csproj -*.log -*.tlog -*.vspscc -*.vssscc -.builds -*.pidb -*.svclog -*.scc - -# Chutzpah Test files -_Chutzpah* - -# Visual C++ cache files -ipch/ -*.aps -*.ncb -*.opendb -*.opensdf -*.sdf -*.cachefile -*.VC.db -*.VC.VC.opendb - -# Visual Studio profiler -*.psess -*.vsp -*.vspx -*.sap - -# Visual Studio Trace Files -*.e2e - -# TFS 2012 Local Workspace -$tf/ - -# Guidance Automation Toolkit -*.gpState - -# ReSharper is a .NET coding add-in -_ReSharper*/ -*.[Rr]e[Ss]harper -*.DotSettings.user - -# TeamCity is a build add-in -_TeamCity* - -# DotCover is a Code Coverage Tool -*.dotCover - -# AxoCover is a Code Coverage Tool -.axoCover/* -!.axoCover/settings.json - -# Coverlet is a free, cross platform Code Coverage Tool -coverage*.json -coverage*.xml -coverage*.info - -# Visual Studio code coverage results -*.coverage -*.coveragexml - -# NCrunch -_NCrunch_* -.*crunch*.local.xml -nCrunchTemp_* - -# MightyMoose -*.mm.* -AutoTest.Net/ - -# Web workbench (sass) -.sass-cache/ - -# Installshield output folder -[Ee]xpress/ - -# DocProject is a documentation generator add-in -DocProject/buildhelp/ -DocProject/Help/*.HxT -DocProject/Help/*.HxC -DocProject/Help/*.hhc -DocProject/Help/*.hhk -DocProject/Help/*.hhp -DocProject/Help/Html2 -DocProject/Help/html - -# Click-Once directory -publish/ - -# Publish Web Output -*.[Pp]ublish.xml -*.azurePubxml -# Note: Comment the next line if you want to checkin your web deploy settings, -# but database connection strings (with potential passwords) will be unencrypted -*.pubxml -*.publishproj - -# Microsoft Azure Web App publish settings. Comment the next line if you want to -# checkin your Azure Web App publish settings, but sensitive information contained -# in these scripts will be unencrypted -PublishScripts/ - -# NuGet Packages -*.nupkg -# NuGet Symbol Packages -*.snupkg -# The packages folder can be ignored because of Package Restore -**/[Pp]ackages/* -# except build/, which is used as an MSBuild target. -!**/[Pp]ackages/build/ -# Uncomment if necessary however generally it will be regenerated when needed -#!**/[Pp]ackages/repositories.config -# NuGet v3's project.json files produces more ignorable files -*.nuget.props -*.nuget.targets - -# Microsoft Azure Build Output -csx/ -*.build.csdef - -# Microsoft Azure Emulator -ecf/ -rcf/ - -# Windows Store app package directories and files -AppPackages/ -BundleArtifacts/ -Package.StoreAssociation.xml -_pkginfo.txt -*.appx -*.appxbundle -*.appxupload - -# Visual Studio cache files -# files ending in .cache can be ignored -*.[Cc]ache -# but keep track of directories ending in .cache -!?*.[Cc]ache/ - -# Others -ClientBin/ -~$* -*~ -*.dbmdl -*.dbproj.schemaview -*.jfm -*.pfx -*.publishsettings -orleans.codegen.cs - -# Including strong name files can present a security risk -# (https://github.com/github/gitignore/pull/2483#issue-259490424) -#*.snk - -# Since there are multiple workflows, uncomment next line to ignore bower_components -# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) -#bower_components/ - -# RIA/Silverlight projects -Generated_Code/ - -# Backup & report files from converting an old project file -# to a newer Visual Studio version. Backup files are not needed, -# because we have git ;-) -_UpgradeReport_Files/ -Backup*/ -UpgradeLog*.XML -UpgradeLog*.htm -ServiceFabricBackup/ -*.rptproj.bak - -# SQL Server files -*.mdf -*.ldf -*.ndf - -# Business Intelligence projects -*.rdl.data -*.bim.layout -*.bim_*.settings -*.rptproj.rsuser -*- [Bb]ackup.rdl -*- [Bb]ackup ([0-9]).rdl -*- [Bb]ackup ([0-9][0-9]).rdl - -# Microsoft Fakes -FakesAssemblies/ - -# GhostDoc plugin setting file -*.GhostDoc.xml - -# Node.js Tools for Visual Studio -.ntvs_analysis.dat -node_modules/ - -# Visual Studio 6 build log -*.plg - -# Visual Studio 6 workspace options file -*.opt - -# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) -*.vbw - -# Visual Studio 6 auto-generated project file (contains which files were open etc.) -*.vbp - -# Visual Studio 6 workspace and project file (working project files containing files to include in project) -*.dsw -*.dsp - -# Visual Studio 6 technical files -*.ncb -*.aps - -# Visual Studio LightSwitch build output -**/*.HTMLClient/GeneratedArtifacts -**/*.DesktopClient/GeneratedArtifacts -**/*.DesktopClient/ModelManifest.xml -**/*.Server/GeneratedArtifacts -**/*.Server/ModelManifest.xml -_Pvt_Extensions - -# Paket dependency manager -.paket/paket.exe -paket-files/ - -# FAKE - F# Make -.fake/ - -# CodeRush personal settings -.cr/personal - -# Python Tools for Visual Studio (PTVS) -__pycache__/ -*.pyc - -# Cake - Uncomment if you are using it -# tools/** -# !tools/packages.config - -# Tabs Studio -*.tss - -# Telerik's JustMock configuration file -*.jmconfig - -# BizTalk build output -*.btp.cs -*.btm.cs -*.odx.cs -*.xsd.cs - -# OpenCover UI analysis results -OpenCover/ - -# Azure Stream Analytics local run output -ASALocalRun/ - -# MSBuild Binary and Structured Log -*.binlog - -# NVidia Nsight GPU debugger configuration file -*.nvuser - -# MFractors (Xamarin productivity tool) working folder -.mfractor/ - -# Local History for Visual Studio -.localhistory/ - -# Visual Studio History (VSHistory) files -.vshistory/ - -# BeatPulse healthcheck temp database -healthchecksdb - -# Backup folder for Package Reference Convert tool in Visual Studio 2017 -MigrationBackup/ - -# Ionide (cross platform F# VS Code tools) working folder -.ionide/ - -# Fody - auto-generated XML schema -FodyWeavers.xsd - -# VS Code files for those working on multiple tools -.vscode/* -!.vscode/settings.json -!.vscode/tasks.json -!.vscode/launch.json -!.vscode/extensions.json -*.code-workspace - -# Local History for Visual Studio Code -.history/ - -# Windows Installer files from build outputs -*.cab -*.msi -*.msix -*.msm -*.msp - -# JetBrains Rider -*.sln.iml +# Ignore bicep build output files and keep required json in other locations +slz-build-log.txt + +# Ignore Visual Studio Code user folder +.vs +.vscode + +# Ignore NuGet packages folder +packages/* + +# Ignore bicep build output json and keep required json in other locations +modules/**/*.json +!modules/**/dashboard/templates/* +!modules/**/parameters/*.parameters.json +!modules/**/policyAssignments/* +!modules/**/policySetDefinitions/* +orchestration/**/*.json +!orchestration/const/*.json +!orchestration/**/parameters/*.parameters.json +orchestration/scripts/outputs/* +# ignore all files added or modified by Invoke-SlzDefaultandCustomPolicyToBicep.ps1 +dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_*.txt +dependencies/infra-as-code/bicep/modules/policy/definitions/alzPolicySetDefinitions.bicep +dependencies/infra-as-code/bicep/modules/policy/definitions/slz-*.bicep +dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_*.txt +dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_*.txt +dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/slz*.json diff --git a/README.md b/README.md index 5cd7cecf..e23a8ed8 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,8 @@ -# Project +# Sovereign Landing Zone Preview -> This repo has been populated by an initial template to help get you started. Please -> make sure to update the content to build a great experience for community-building. +The Sovereign Landing Zone (SLZ) Preview provides opinionated infrastructure-as-code automation for deploying workloads that help meet certain regulatory compliance requirements for the public sector and government agencies around the world. -As the maintainer of this project, please make a few updates: - -- Improving this README.MD file to provide a great experience -- Updating SUPPORT.MD with content about this project's support experience -- Understanding the security reporting process in SECURITY.MD -- Remove this section from the README +You can begin by navigating to the [Overview](/docs/01-Overview.md) document to begin. The documentation will cover the concepts around SLZ Preview, architecture, and deployment paths. Please reference [FAQ's](/docs/12-FAQ.md) for common questions and [Troubleshooting](/docs/13-Troubleshooting.md) for common issues. ## Contributing @@ -24,10 +18,23 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. +## Shared responsibility and customer responsibilities + +To ensure your data is secure and your privacy controls are addressed, we recommend that you follow a set of best practices when deploying into Azure: + +- [Azure security best practices and patterns](https://learn.microsoft.com/azure/security/fundamentals/best-practices-and-patterns) +- [Microsoft Services in Cybersecurity](https://learn.microsoft.com/azure/security/fundamentals/cyber-services) + +Protecting your data also requires that all aspects of your security and compliance program include your cloud infrastructure and data. The following guidance can help you to secure your deployment. + ## Trademarks -This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft -trademarks or logos is subject to and must follow -[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). +This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft +trademarks or logos is subject to and must follow +[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies. + +## Preview Notice + +**Preview Terms**. The Sovereign Landing Zone Preview (the "PREVIEW") is licensed to you as part of your [Azure subscription](https://azure.microsoft.com/en-us/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability. diff --git a/SECURITY.md b/SECURITY.md index e138ec5d..869fdfe2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,8 +1,8 @@ - + ## Security -Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. diff --git a/SUPPORT.md b/SUPPORT.md index 291d4d43..1769b977 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -1,25 +1,27 @@ -# TODO: The maintainer of this repo has not yet edited this file - -**REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project? - -- **No CSS support:** Fill out this template with information about how to file issues and get help. -- **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps. -- **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide. - -*Then remove this first heading from this SUPPORT.MD file before publishing your repo.* - -# Support - -## How to file issues and get help - -This project uses GitHub Issues to track bugs and feature requests. Please search the existing -issues before filing new issues to avoid duplicates. For new issues, file your bug or -feature request as a new Issue. - -For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE -FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER -CHANNEL. WHERE WILL YOU HELP PEOPLE?**. - -## Microsoft Support Policy - -Support for this **PROJECT or PRODUCT** is limited to the resources listed above. +# Support + +## SLZ support scope + +Customers who request support for design guidance or development assistance may be directed to file a GitHub issue. Customers may also have to work with our Microsoft solution architects, Microsoft partners or software vendors directly for scenarios that aren't supported by the Microsoft customer support team. Examples include, but aren't limited to: + +* Application development +* Cloud deployment architecture +* Troubleshooting custom applications +* Custom code + +The following are some of the scenarios that the Microsoft support team will assist with: + +* Issues that occur during installation or configuration +* Deployment errors that occur when customers try to deploy applications to the Azure platform and services +* Runtime errors that occur when customers use the Azure platform and services +* Performance issues that affect applications that were built by using the supported open-source technologies on the Azure platform and services + +Any issues that are deemed outside of the above list by Microsoft support and/or requires bugfix in the Template or Code in the repo, Microsoft support will redirect user to file the issue on GitHub or to contact their Microsoft solution architect or representative (when applicable). + +## How to file issues and get help + +If you have questions or need help, [create a support request](https://ms.portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview), or file a [GitHub issue](https://github.com/Azure/sovereign-landing-zone/issues). + +This project uses GitHub issues to track bugs and feature requests. Please search for the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new Issue. Please provide as much information as possible when filing an issue. Include screenshots or correlations IDs if possible (please redact any sensitive information). For instructions on how to get deployments and correlation ID, please follow this link [here](https://learn.microsoft.com/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal#get-deployments-and-correlation-id). + +Project maintainers aim to investigate within 1 business day and provide guidance/workarounds within 3 business days of GitHub issue submission. \ No newline at end of file diff --git a/bicepconfig.json b/bicepconfig.json new file mode 100644 index 00000000..eae08729 --- /dev/null +++ b/bicepconfig.json @@ -0,0 +1,88 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": false, + "rules": { + "adminusername-should-not-be-literal": { + "level": "warning" + }, + "artifacts-parameters": { + "level": "warning" + }, + "explicit-values-for-loc-params": { + "level": "warning" + }, + "no-hardcoded-env-urls": { + "level": "warning" + }, + "no-hardcoded-location": { + "level": "warning" + }, + "no-unnecessary-dependson": { + "level": "warning" + }, + "no-loc-expr-outside-params": { + "level": "warning" + }, + "no-unused-existing-resources": { + "level": "warning" + }, + "no-unused-params": { + "level": "warning" + }, + "no-unused-vars": { + "level": "warning" + }, + "max-outputs": { + "level": "warning" + }, + "max-params": { + "level": "warning" + }, + "max-resources": { + "level": "warning" + }, + "max-variables": { + "level": "warning" + }, + "outputs-should-not-contain-secrets": { + "level": "warning" + }, + "prefer-interpolation": { + "level": "warning" + }, + "protect-commandtoexecute-secrets": { + "level": "warning" + }, + "prefer-unquoted-property-names": { + "level": "warning" + }, + "use-stable-vm-image": { + "level": "warning" + }, + "use-recent-api-versions": { + "level": "warning" + }, + "use-resource-id-functions": { + "level": "warning" + }, + "use-stable-resource-identifiers": { + "level": "warning" + }, + "secure-parameter-default": { + "level": "warning" + }, + "secure-params-in-nested-deploy": { + "level": "warning" + }, + "secure-secrets-in-params": { + "level": "warning" + }, + "simplify-interpolation": { + "level": "warning" + } + } + } + } +} diff --git a/custom/dashboard/compliance/tiles-sample.json b/custom/dashboard/compliance/tiles-sample.json new file mode 100644 index 00000000..59ee022c --- /dev/null +++ b/custom/dashboard/compliance/tiles-sample.json @@ -0,0 +1,51 @@ +[ + { + "position": { + "x": 0, + "y": 41, + "colSpan": 16, + "rowSpan": 4 + }, + "metadata": { + "inputs": [ + { + "name": "isShared", + "isOptional": true + }, + { + "name": "queryId", + "isOptional": true + }, + { + "name": "partTitle", + "value": "Custom query 1 - compliance percentage by policy group", + "isOptional": true + }, + { + "name": "query", + "value": "PolicyResources| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/mcfs'| extend policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = properties.policyDefinitionGroupNames, policySetDefinitionName = tolower(properties.policySetDefinitionName)| mv-expand parsed_policy_groups = policyGroups| where parsed_policy_groups hasprefix 'dashboard-'| extend parsed_policy_groups = trim('dashboard-',tostring(parsed_policy_groups))| project properties, policyDefinitionId, parsed_policy_groups| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), stateWeight = tolong(properties.stateWeight)| summarize max(stateWeight) by resourceId, tostring(parsed_policy_groups)| summarize counts = count() by tostring(parsed_policy_groups), max_stateWeight| summarize nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by tostring(parsed_policy_groups)| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount)| extend totalCompliantResources = todouble(compliantCount + exemptCount)| extend compliancePercentage = iff(totalResources == 0 or (totalCompliantResources == 0 and nonCompliantCount == 0), todouble(100), 100 * totalCompliantResources / totalResources)| project toupper(parsed_policy_groups), compliancePercentageEx = toint(round(compliancePercentage, 1))| order by compliancePercentageEx asc", + "isOptional": true + }, + { + "name": "chartType", + "value": 1, + "isOptional": true + }, + { + "name": "queryScope", + "value": { + "scope": 0, + "values": [] + }, + "isOptional": true + } + ], + "type": "Extension/HubsExtension/PartType/ArgQueryChartTile", + "settings": {}, + "partHeader": { + "title": "Custom Query 1 - per policy group", + "subtitle": "Hover over bar to see policy group name and its compliance percentage" + } + } + } +] diff --git a/custom/dashboard/compliance/tiles.json b/custom/dashboard/compliance/tiles.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/custom/dashboard/compliance/tiles.json @@ -0,0 +1 @@ +[] diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json new file mode 100644 index 00000000..c059908c --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Confidential Custom Policies", + "displayName": "SLZ Confidential Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConfidentialCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json new file mode 100644 index 00000000..14e2204f --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Connectivity", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Connectivity Custom Policies", + "displayName": "SLZ Connectivity Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConnectivityCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json new file mode 100644 index 00000000..6ca86432 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Corp", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Corp Custom Policies", + "displayName": "SLZ Corp Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzCorpCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json new file mode 100644 index 00000000..623b08bd --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Decom", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Decommissioned Custom Policies", + "displayName": "SLZ Decommissioned Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzDecommissionedCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json new file mode 100644 index 00000000..323de105 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Global Custom Policies", + "displayName": "SLZ Global Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzGlobalCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json new file mode 100644 index 00000000..bf365c9f --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Identity", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Identity Custom Policies", + "displayName": "SLZ Identity Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzIdentityCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json new file mode 100644 index 00000000..bb327fee --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Slz-Custom-LZs", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Landing Zones Custom Policies", + "displayName": "SLZ Landing Zones Custom Policies", + "notScopes": [], + "parameters": { + "DdosProtectionPlanId": { + "value": "" + } + }, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzLandingZonesCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json new file mode 100644 index 00000000..97594f19 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Management", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Management Custom Policies", + "displayName": "SLZ Management Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzManagementCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json new file mode 100644 index 00000000..e31e6a92 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Online", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Online Custom Policies", + "displayName": "SLZ Online Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzOnlineCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json new file mode 100644 index 00000000..3a582a35 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Plat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Platform Custom Policies", + "displayName": "SLZ Platform Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzPlatformCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json new file mode 100644 index 00000000..67fea51f --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Sand", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Sandbox Custom Policies", + "displayName": "SLZ Sandbox Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}uthorization/policySetDefinitions/SlzSandboxCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/definitions/slzConfidentialCustom.json b/custom/policies/definitions/slzConfidentialCustom.json new file mode 100644 index 00000000..d69f9aea --- /dev/null +++ b/custom/policies/definitions/slzConfidentialCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Confidential Custom Policies", + "description": "SLZ Confidential Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConfidentialCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzConfidentialCustomPolicies" +} diff --git a/custom/policies/definitions/slzConnectivityCustom.json b/custom/policies/definitions/slzConnectivityCustom.json new file mode 100644 index 00000000..05f8117d --- /dev/null +++ b/custom/policies/definitions/slzConnectivityCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Connectivity Custom Policies", + "description": "SLZ Connectivity Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConnectivityCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzConnectivityCustomPolicies" +} diff --git a/custom/policies/definitions/slzCorpCustom.json b/custom/policies/definitions/slzCorpCustom.json new file mode 100644 index 00000000..099e5bf0 --- /dev/null +++ b/custom/policies/definitions/slzCorpCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Corp Custom Policies", + "description": "SLZ Corp Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzCorpCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzCorpCustomPolicies" +} diff --git a/custom/policies/definitions/slzDecommissionedCustom.json b/custom/policies/definitions/slzDecommissionedCustom.json new file mode 100644 index 00000000..69a3b1a6 --- /dev/null +++ b/custom/policies/definitions/slzDecommissionedCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Decommissioned Custom Policies", + "description": "SLZ Decommissioned Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzDecommissionedCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzDecommissionedCustomPolicies" +} diff --git a/custom/policies/definitions/slzGlobalCustom.json b/custom/policies/definitions/slzGlobalCustom.json new file mode 100644 index 00000000..b98b8ac9 --- /dev/null +++ b/custom/policies/definitions/slzGlobalCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Global Custom Policies", + "description": "SLZ Global Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzGlobalCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzGlobalCustomPolicies" +} diff --git a/custom/policies/definitions/slzIdentityCustom.json b/custom/policies/definitions/slzIdentityCustom.json new file mode 100644 index 00000000..0e2a255b --- /dev/null +++ b/custom/policies/definitions/slzIdentityCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Identity Custom Policies", + "description": "SLZ Identity Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzIdentityCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzIdentityCustomPolicies" +} diff --git a/custom/policies/definitions/slzLandingZoneCustom.json b/custom/policies/definitions/slzLandingZoneCustom.json new file mode 100644 index 00000000..df8c51bb --- /dev/null +++ b/custom/policies/definitions/slzLandingZoneCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Landing Zone Custom Policies", + "description": "SLZ Landing Zone Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzLandingZonesCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzLandingZonesCustomPolicies" +} diff --git a/custom/policies/definitions/slzManagementCustom.json b/custom/policies/definitions/slzManagementCustom.json new file mode 100644 index 00000000..39935239 --- /dev/null +++ b/custom/policies/definitions/slzManagementCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Management Custom Policies", + "description": "SLZ Management Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzManagementCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzManagementCustomPolicies" +} diff --git a/custom/policies/definitions/slzOnlineCustom.json b/custom/policies/definitions/slzOnlineCustom.json new file mode 100644 index 00000000..4d12d86e --- /dev/null +++ b/custom/policies/definitions/slzOnlineCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Online Custom Policies", + "description": "SLZ Online Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzOnlineCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzOnlineCustomPolicies" +} diff --git a/custom/policies/definitions/slzPlatformCustom.json b/custom/policies/definitions/slzPlatformCustom.json new file mode 100644 index 00000000..1afe9461 --- /dev/null +++ b/custom/policies/definitions/slzPlatformCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Platform Custom Policies", + "description": "SLZ Platform Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzPlatformCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzPlatformCustomPolicies" +} diff --git a/custom/policies/definitions/slzSandboxCustom.json b/custom/policies/definitions/slzSandboxCustom.json new file mode 100644 index 00000000..c5bf31a7 --- /dev/null +++ b/custom/policies/definitions/slzSandboxCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Sandbox Custom Policies", + "description": "SLZ Sandbox Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzSandboxCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzSandboxCustomPolicies" +} diff --git a/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 new file mode 100644 index 00000000..64921d4d --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 @@ -0,0 +1,142 @@ +#!/usr/bin/pwsh + +# +# Module manifest for module 'Alz.Classes' +# +# Generated by: krowlandson +# +# Generated on: 14/07/2022 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Alz.Classes.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0' + + # Supported PSEditions + CompatiblePSEditions = 'Core', 'Desktop' + + # ID used to uniquely identify this module + GUID = '14f47ea8-53df-4b13-b7b4-73ecda225c0a' + + # Author of this module + Author = 'krowlandson' + + # Company or vendor of this module + CompanyName = 'Microsoft Ltd' + + # Copyright statement for this module + Copyright = 'Copyright (c) 2022 Microsoft Ltd. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'This module provides a set of custom classes used for managing the Azure landing zones code base.' + + # Minimum version of the PowerShell engine required by this module + PowerShellVersion = '7.0' + + # Name of the PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # ClrVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + RequiredModules = @( + @{ + ModuleName = 'Az.Accounts' + ModuleVersion = '2.2.3' + } + ) + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + # NestedModules = @() + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @() + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + # ModuleList = @() + + # List of all files packaged with this module + FileList = @( + 'Alz.Classes.psd1' + 'Alz.Classes.psm1' + ) + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' + +} + diff --git a/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 new file mode 100644 index 00000000..d30a62a2 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 @@ -0,0 +1,584 @@ +#!/usr/bin/pwsh + +using module "../Alz.Enums/" + +############################# +# ProviderApiVersions Class # +############################# + +# [ProviderApiVersions] class is used to create cache of latest API versions for all Azure Providers. +# This can be used to retrieve the latest or stable API version in string format. +# Can also output the API version as a param string for use within a Rest API request. +# To minimise the number of Rest API requests needed, this class creates a cache and populates. +# it with all results from the request. The cache is then used to return the requested result. +# Need to store and lookup the key in lowercase to avoid case sensitivity issues while providing +# better performance as allows using ContainsKey method to search for key in cache. +# Should be safe to ignore case as Providers are not case sensitive. +class ProviderApiVersions { + + # Public class properties + [String]$Provider + [String]$ResourceType + [String]$Type + [Array]$ApiVersions + + # Static properties + hidden static [String]$ProvidersApiVersion = "2020-06-01" + + # Default empty constructor + ProviderApiVersions() { + } + + # Default constructor using PSCustomObject to populate object + ProviderApiVersions([PSCustomObject]$PSCustomObject) { + $this.Provider = $PSCustomObject.Provider + $this.ResourceType = $PSCustomObject.ResourceType + $this.Type = $PSCustomObject.Type + $this.ApiVersions = $PSCustomObject.ApiVersions + } + + # Static method to get Api Version using Type + static [Array] GetByType([String]$Type) { + if ([ProviderApiVersions]::Cache.Count -lt 1) { + [ProviderApiVersions]::UpdateCache() + } + $private:ProviderApiVersionsFromCache = [ProviderApiVersions]::SearchCache($Type) + return $private:ProviderApiVersionsFromCache.ApiVersions + } + + # Static method to get latest Api Version using Type + static [String] GetLatestByType([String]$Type) { + $private:GetLatestByType = [ProviderApiVersions]::GetByType($Type) | + Sort-Object -Descending | + Select-Object -First 1 + return $private:GetLatestByType + } + + # Static method to get latest stable Api Version using Type + # If no stable release, will return latest + static [String] GetLatestStableByType([String]$Type) { + $private:GetByType = [ProviderApiVersions]::GetByType($Type) + $private:GetLatestStableByType = $private:GetByType | + Where-Object { $_ -Match "^[0-9-]{10}$" } | + Sort-Object -Descending | + Select-Object -First 1 + if ($private:GetLatestStableByType) { + return $private:GetLatestStableByType.ToString() + } + else { + return [ProviderApiVersions]::GetLatestByType($Type).ToString() + } + } + + static [String[]] ListTypes() { + if ([ProviderApiVersions]::Cache.Count -lt 1) { + [ProviderApiVersions]::UpdateCache() + } + $private:ShowCacheTypes = [ProviderApiVersions]::ShowCache().Type | Sort-Object + return $private:ShowCacheTypes + } + + # Static property to store cache of ProviderApiVersions using a threadsafe + # dictionary variable to allow caching across parallel jobs + # https://docs.microsoft.com/powershell/module/microsoft.powershell.core/foreach-object#example-14--using-thread-safe-variable-references + static [System.Collections.Concurrent.ConcurrentDictionary[String, ProviderApiVersions]]$Cache + + # Static method to show all entries in Cache + static [ProviderApiVersions[]] ShowCache() { + return ([ProviderApiVersions]::Cache).Values + } + + # Static method to show all entries in Cache matching the specified type using the specified release type + static [ProviderApiVersions[]] SearchCache([String]$Type) { + return [ProviderApiVersions]::Cache[$Type.ToString().ToLower()] + } + + # Static method to return [Boolean] for Resource Type in Cache query using the specified release type + static [Boolean] InCache([String]$Type) { + if ([ProviderApiVersions]::Cache) { + $private:CacheKeyLowercase = $Type.ToString().ToLower() + $private:InCache = ([ProviderApiVersions]::Cache).ContainsKey($private:CacheKeyLowercase) + if ($private:InCache) { + Write-Verbose "[ProviderApiVersions] Resource Type found in Cache [$Type]" + } + else { + Write-Verbose "[ProviderApiVersions] Resource Type not found in Cache [$Type]" + } + return $private:InCache + } + else { + # The following prevents needing to initialize the cache + # manually if not exist on first attempt to use + [ProviderApiVersions]::InitializeCache() + return $false + } + } + + # Static method to update Cache using current Subscription from context + static [Void] UpdateCache() { + $private:SubscriptionId = (Get-AzContext).Subscription.Id + [ProviderApiVersions]::UpdateCache($private:SubscriptionId) + } + + # Static method to update Cache using specified SubscriptionId + static [Void] UpdateCache([String]$SubscriptionId) { + $private:Method = "GET" + $private:Path = "/subscriptions/$subscriptionId/providers?api-version=$([ProviderApiVersions]::ProvidersApiVersion)" + $private:PSHttpResponse = Invoke-AzRestMethod -Method $private:Method -Path $private:Path + $private:PSHttpResponseContent = $private:PSHttpResponse.Content + $private:Providers = ($private:PSHttpResponseContent | ConvertFrom-Json).value + if ($private:Providers) { + [ProviderApiVersions]::InitializeCache() + } + foreach ($private:Provider in $private:Providers) { + Write-Verbose "[ProviderApiVersions] Processing Provider Namespace [$($private:Provider.namespace)]" + foreach ($private:Type in $private:Provider.resourceTypes) { + # Check for latest ApiVersions and add to cache + [ProviderApiVersions]::AddToCache( + $private:Provider.namespace.ToString(), + $private:Type.resourceType.ToString(), + $private:Type.ApiVersions + ) + } + } + } + + # Static method to add provider instance to Cache + hidden static [Void] AddToCache([String]$Provider, [String]$ResourceType, [Array]$ApiVersions) { + Write-Debug "[ProviderApiVersions] Adding [$($Provider)/$($ResourceType)] to Cache" + $private:AzStateProviderObject = [PsCustomObject]@{ + Provider = "$Provider" + ResourceType = "$ResourceType" + Type = "$Provider/$ResourceType" + ApiVersions = $ApiVersions + } + $private:CacheKey = "$Provider/$ResourceType" + $private:CacheKeyLowercase = $private:CacheKey.ToString().ToLower() + $private:CacheValue = [ProviderApiVersions]::new($private:AzStateProviderObject) + $private:TryAdd = ([ProviderApiVersions]::Cache).TryAdd($private:CacheKeyLowercase, $private:CacheValue) + if ($private:TryAdd) { + Write-Verbose "[ProviderApiVersions] Added Resource Type to Cache [$private:CacheKey]" + } + } + + # Static method to initialize Cache + # Will also reset cache if exists + static [Void] InitializeCache() { + Write-Verbose "[ProviderApiVersions] Initializing Cache (Empty)" + [ProviderApiVersions]::Cache = [System.Collections.Concurrent.ConcurrentDictionary[String, ProviderApiVersions]]::new() + } + + # Static method to clear all entries from Cache + static [Void] ClearCache() { + [ProviderApiVersions]::InitializeCache() + } + + # Static method to save all entries from Cache to filesystem + static [Void] SaveCacheToDirectory() { + [ProviderApiVersions]::SaveCacheToDirectory("./") + } + + # Static method to save all entries from Cache to filesystem + static [Void] SaveCacheToDirectory([String]$Directory) { + if ([ProviderApiVersions]::Cache.Count -lt 1) { + [ProviderApiVersions]::UpdateCache() + } + $private:saveCachePath = "$Directory/ProviderApiVersions" + [ProviderApiVersions]::Cache | + ConvertTo-Json -Depth 10 -Compress | + Out-File -FilePath "$($private:saveCachePath).json" ` + -Force + try { + Compress-Archive -Path "$($private:saveCachePath).json" ` + -DestinationPath "$($private:saveCachePath).zip" ` + -Force + } + finally { + Remove-Item -Path "$($private:saveCachePath).json" ` + -Force + } + } + + # Static method to load all entries from filesystem to Cache + static [Void] LoadCacheFromDirectory() { + [ProviderApiVersions]::LoadCacheFromDirectory("./") + } + + # Static method to load all entries from filesystem to Cache + static [Void] LoadCacheFromDirectory([String]$Directory) { + [ProviderApiVersions]::ClearCache() + $private:loadCachePath = "$Directory/ProviderApiVersions" + Expand-Archive -Path "$($private:loadCachePath).zip" ` + -DestinationPath "$Directory" ` + -Force + try { + $private:loadCacheObject = Get-Content ` + -Path "$($private:loadCachePath).json" ` + -Force | + ConvertFrom-Json + foreach ($key in $private:loadCacheObject.psobject.Properties.Name) { + $private:value = $private:loadCacheObject."$key" + ([ProviderApiVersions]::Cache).TryAdd($key, $private:value) + } + } + catch { + Write-Error $_.Exception.Message + } + finally { + Remove-Item -Path "$($private:loadCachePath).json" ` + -Force + } + } + +} + +############### +# ALZ Classes # +############### + +# The ALZ classes are used to create resource objects with consistent +# formatting for all Azure resources handled by the ALZ Tools module. + +class ALZBase : System.Collections.Specialized.OrderedDictionary { + + ALZBase(): base() {} + + [String] ToString() { + if ($this.GetType() -notin "String", "Boolean", "Int") { + return $this | ConvertTo-Json -Depth 1 -WarningAction SilentlyContinue | ConvertFrom-Json + } + else { + return $this + } + } + +} + +class PolicyAssignmentProperties : ALZBase { + [String]$displayName = "" + [Object]$policyDefinitionId = "" + [String]$scope = "" + [String[]]$notScopes = @() + [Object]$parameters = @{} + [String]$description = "" + [Object]$metadata = @{} + [String]$enforcementMode = "Default" + + PolicyAssignmentProperties(): base() {} + + PolicyAssignmentProperties([Object]$that): base() { + $this.displayName = $that.displayName + $this.policyDefinitionId = $that.policyDefinitionId + $this.scope = $that.scope + $this.notScopes = $that.notScopes ?? $this.notScopes + $this.parameters = $that.parameters ?? $this.parameters + $this.description = $that.description ?? $that.displayName + $this.metadata = $that.metadata ?? $this.metadata + $this.enforcementMode = ([PolicyAssignmentPropertiesEnforcementMode]($that.enforcementMode ?? $this.enforcementMode)).ToString() + } + +} + +class PolicyAssignmentIdentity : ALZBase { + [String]$type = "None" + + PolicyAssignmentIdentity(): base() {} + + PolicyAssignmentIdentity([Object]$that): base() { + $this.type = ([PolicyAssignmentIdentityType]($that.type ?? $this.type)).ToString() + } + +} + +class PolicyDefinitionProperties : ALZBase { + [String]$policyType = "NotSpecified" + [String]$mode = "" + [String]$displayName = "" + [String]$description = "" + [Object]$metadata = @{} + [Object]$parameters = @{} + [Object]$policyRule = @{} + + PolicyDefinitionProperties(): base() {} + + PolicyDefinitionProperties([Object]$that): base() { + $this.policyType = ([PolicySetDefinitionPropertiesPolicyType]($that.policyType ?? $this.policyType)).ToString() + $this.mode = ([PolicyDefinitionPropertiesMode]($that.mode)).ToString() + $this.displayName = $that.displayName + $this.description = $that.description ?? $that.displayName + $this.metadata = $that.metadata ?? $this.metadata + $this.parameters = $that.parameters ?? $this.parameters + $this.policyRule = $that.policyRule + } + +} + +class PolicySetDefinitionPropertiesPolicyDefinitions : ALZBase { + [String]$policyDefinitionReferenceId = "" + [String]$policyDefinitionId = "" + [Object]$parameters = @{} + [Array]$groupNames = @() + + PolicySetDefinitionPropertiesPolicyDefinitions(): base() {} + + PolicySetDefinitionPropertiesPolicyDefinitions([Object]$that): base() { + $this.policyDefinitionReferenceId = $that.policyDefinitionReferenceId + $this.policyDefinitionId = $that.policyDefinitionId + $this.parameters = $that.parameters ?? $this.parameters + $this.groupNames = $that.groupNames ?? $this.groupNames + } + +} + +class PolicySetDefinitionPropertiesPolicyDefinitionGroup : ALZBase { + [String]$name = "" + [String]$displayName = "" + [String]$category = "" + [String]$description = "" + [String]$additionalMetadataId = "" + + PolicySetDefinitionPropertiesPolicyDefinitionGroup(): base() {} + + PolicySetDefinitionPropertiesPolicyDefinitionGroup([Object]$that): base() { + $this.name = $that.name + $this.displayName = $that.displayName + $this.category = $that.category + $this.description = $that.description + $this.additionalMetadataId = $that.additionalMetadataId + } + +} + +class PolicySetDefinitionProperties : ALZBase { + [String]$policyType = "NotSpecified" + [String]$displayName = "" + [String]$description = "" + [Object]$metadata = @{} + [Object]$parameters = @{} + [Array]$policyDefinitions = @() + [Array]$policyDefinitionGroups = $null + + PolicySetDefinitionProperties(): base() {} + + PolicySetDefinitionProperties([Object]$that): base() { + $this.policyType = ([PolicySetDefinitionPropertiesPolicyType]($that.policyType ?? $this.policyType)).ToString() + $this.displayName = $that.displayName ?? "" + $this.description = $that.description ?? $that.displayName + $this.metadata = $that.metadata ?? $this.metadata + $this.parameters = $that.parameters ?? $this.parameters + $this.policyDefinitions = foreach ($policyDefinition in $that.policyDefinitions) { + [PolicySetDefinitionPropertiesPolicyDefinitions]::new($policyDefinition) + } + $this.policyDefinitionGroups = foreach ($policyDefinitionGroup in $that.policyDefinitionGroups) { + [PolicySetDefinitionPropertiesPolicyDefinitionGroup]::new($that.policyDefinitionGroups) + } + } + +} + +class RoleAssignmentProperties : ALZBase { + RoleAssignmentProperties(): base() {} +} + +class RoleDefinitionPropertiesPermissions { + [String[]]$actions = @() + [String[]]$notActions = @() + [String[]]$dataActions = @() + [String[]]$notDataActions = @() + + RoleDefinitionPropertiesPermissions(): base() {} + + RoleDefinitionPropertiesPermissions([Object]$that): base() { + $this.actions = $that.actions ?? $this.actions + $this.notActions = $that.notActions ?? $that.notActions + $this.dataActions = $that.dataActions ?? $this.dataActions + $this.notDataActions = $that.notDataActions ?? $this.notDataActions + } + +} + +class RoleDefinitionProperties : ALZBase { + [String]$roleName = "" + [String]$description = "" + [String]$type = "customRole" + [Array]$permissions = @() + [Array]$assignableScopes = @() + + RoleDefinitionProperties(): base() {} + + RoleDefinitionProperties([Object]$that): base() { + $this.roleName = $that.roleName + $this.description = $that.description ?? $that.roleName + $this.type = $that.type ?? $this.type + $this.permissions = @( + [PolicyAssignmentIdentity]::new($that.permissions[0]) + ) + $this.assignableScopes = $that.assignableScopes ?? $this.assignableScopes + } + +} + +class ArmTemplateResource : ALZBase { + + # Public class properties + # Need to declare base object properties with default values to set order + [String]$name = "" + [String]$type = "" + [String]$apiVersion = "" + [Object]$scope = $null # Needs to be declared as object to avoid null returning empty string in JSON output + [Object]$properties = @{} + + # Hidden static class properties + hidden static [GetFileNameCaseModifier]$GetFileNameCaseModifier = "ToLower" # Default to make lowercase + hidden static [Regex]$regexReplaceFileNameCharacters = "\W" # Default to replace all non word characters + hidden static [String]$GetFileNameSubstituteCharacter = "_" + hidden static [Regex]$regexExtractProviderId = "\/providers\/(?!.*\/providers\/)[\/\w-.]+" + + ArmTemplateResource(): base() {} + + ArmTemplateResource([PSCustomObject]$that): base() { + $this.name = $that.name + $this.type = $that.ResourceType ?? $that.type + $this.apiVersion = $that.apiVersion + $this.scope = if ($that.scope.Length -gt 0) { $that.scope } else { $null } + $this.properties = $that.properties + } + + # Initialize [ArmTemplateResource] object + [Void] SetApiVersion([String]$ResourceType) { + $this.apiVersion = [ProviderApiVersions]::GetLatestStableByType($ResourceType) + } + + # String modifier for template languages + static [String] ConvertToTemplateVariable([String]$Variable, [ExportFormat]$ExportFormat) { + $TemplateVariable = "$Variable" + Switch ($ExportFormat) { + "Jinja2" { $TemplateVariable = "{{ $Variable }}" } + "Terraform" { $TemplateVariable = "`${$Variable}" } + Default { $TemplateVariable = "$Variable" } + } + return $TemplateVariable + } + + # Update resource values as per requirements for export format + [Object] Format([ExportFormat]$ExportFormat) { + if ($this.type -eq "Microsoft.Authorization/policyAssignments") { + $this.properties.scope = [ArmTemplateResource]::ConvertToTemplateVariable("current_scope_resource_id", $ExportFormat) + $this.properties.policyDefinitionId = [ArmTemplateResource]::ConvertToTemplateVariable("root_scope_resource_id", $ExportFormat) + $this.location = [ArmTemplateResource]::ConvertToTemplateVariable("default_location", $ExportFormat) + } + if ($this.type -eq "Microsoft.Authorization/policyDefinitions") { + $this.properties.policyType = "Custom" + } + if ($this.type -eq "Microsoft.Authorization/policySetDefinitions") { + $this.properties.policyType = "Custom" + foreach ($policyDefinition in $this.properties.policyDefinitions) { + $regexMatches = [ArmTemplateResource]::regexExtractProviderId.Matches($policyDefinition.policyDefinitionId) + $policyDefinitionId = switch ($ExportFormat) { + "ArmResource" { "/providers/Microsoft.Management/managementGroups/contoso$($regexMatches.Value)" } + "ArmVariable" { "[concat(variables('scope'), '$($regexMatches.Value)')]" } + "Bicep" { "`${varTargetManagementGroupResourceId}$($regexMatches.Value)" } + "Raw" { "$($policyDefinition.policyDefinitionId)" } + "Jinja2" { "$([ArmTemplateResource]::ConvertToTemplateVariable("root_scope_resource_id", $ExportFormat))$($regexMatches.Value)" } + "Terraform" { "$([ArmTemplateResource]::ConvertToTemplateVariable("root_scope_resource_id", $ExportFormat))$($regexMatches.Value)" } + Default { "$($policyDefinition.policyDefinitionId)" } + } + if ($regexMatches.Index -gt 0) { + $policyDefinition.policyDefinitionId = "$policyDefinitionId" + } + else { + $policyDefinition.policyDefinitionId = $regexMatches.Value + } + } + } + return $this + } + + [String] GetFileName() { + $fileName = $this.GetFileName("", ".json", "Raw") + return $fileName + } + + [String] GetFileName([String]$Prefix, [String]$Suffix, [ExportFormat]$ExportFormat) { + $fileName = "$($this.name)" + if ($ExportFormat -eq "Terraform") { + # Perform character substitution + $fileName = [ArmTemplateResource]::regexReplaceFileNameCharacters.Replace($fileName, [ArmTemplateResource]::GetFileNameSubstituteCharacter) + # Modify case + $fileName = $fileName.$([ArmTemplateResource]::GetFileNameCaseModifier)() + } + $fileName = $Prefix + $fileName + $Suffix + return $fileName + } + +} + +class PolicyAssignment : ArmTemplateResource { + + # Need to re-declare base object properties with default values to maintain order + [String]$name = "" + [String]$type = "" + [String]$apiVersion = "" + [String]$scope = "" + [Object]$properties = @{} + [String]$location = "" + [Object]$identity = @{} + + PolicyAssignment(): base() {} + + PolicyAssignment([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/policyAssignments" + $this.SetApiVersion($this.type) + $this.location = $that.location + $this.identity = [PolicyAssignmentIdentity]::new($that.identity) + $this.properties = [PolicyAssignmentProperties]::new($this.properties) + } + +} + +class PolicyDefinition : ArmTemplateResource { + + PolicyDefinition(): base() {} + + PolicyDefinition([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/policyDefinitions" + $this.SetApiVersion($this.type) + $this.properties = [PolicyDefinitionProperties]::new($this.properties) + } + +} + +class PolicySetDefinition : ArmTemplateResource { + + PolicySetDefinition(): base() {} + + PolicySetDefinition([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/policySetDefinitions" + $this.SetApiVersion($this.type) + $this.properties = [PolicySetDefinitionProperties]::new($this.properties) + } + +} + +class RoleAssignment : ArmTemplateResource { + + RoleAssignment(): base() {} + + RoleAssignment([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/roleAssignments" + $this.SetApiVersion($this.type) + $this.properties = [RoleAssignmentProperties]::new($this.properties) + } +} + +class RoleDefinition : ArmTemplateResource { + + RoleDefinition(): base() {} + + RoleDefinition([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/roleDefinitions" + $this.SetApiVersion($this.type) + $this.properties = [RoleDefinitionProperties]::new($this.properties) + } + +} diff --git a/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 new file mode 100644 index 00000000..73ce8162 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 @@ -0,0 +1,137 @@ +#!/usr/bin/pwsh + +# +# Module manifest for module 'Alz.Enums' +# +# Generated by: krowlandson +# +# Generated on: 14/07/2022 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Alz.Enums.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0' + + # Supported PSEditions + CompatiblePSEditions = 'Core', 'Desktop' + + # ID used to uniquely identify this module + GUID = 'bccc040b-857d-4ae8-bebf-31dd454e4855' + + # Author of this module + Author = 'krowlandson' + + # Company or vendor of this module + CompanyName = 'Microsoft Ltd' + + # Copyright statement for this module + Copyright = 'Copyright (c) 2022 Microsoft Ltd. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'This module provides a set of custom enums used for managing the Azure landing zones code base.' + + # Minimum version of the PowerShell engine required by this module + PowerShellVersion = '7.0' + + # Name of the PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # ClrVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + # RequiredModules = @() + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + # NestedModules = @() + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @() + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + # ModuleList = @() + + # List of all files packaged with this module + FileList = @( + 'Alz.Enums.psd1' + 'Alz.Enums.psm1' + ) + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' + +} + diff --git a/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 new file mode 100644 index 00000000..0343b3c2 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 @@ -0,0 +1,48 @@ +#!/usr/bin/pwsh + +############################################ +# Custom enum data sets used within module # +############################################ + +enum PolicyDefinitionPropertiesMode { + All + Indexed +} + +enum PolicyAssignmentPropertiesEnforcementMode { + Default + DoNotEnforce +} + +enum PolicyAssignmentIdentityType { + None + SystemAssigned +} + +enum PolicySetDefinitionPropertiesPolicyType { + NotSpecified + BuiltIn + Custom + Static +} + +enum GetFileNameCaseModifier { + ToString + ToLower + ToUpper +} + +enum LineEndingTypes { + Darwin + Unix + Win +} + +enum ExportFormat { + ArmResource + ArmVariable + Raw + Jinja2 + Terraform + Bicep +} diff --git a/dependencies/Alz.Tools/Alz.Tools.psd1 b/dependencies/Alz.Tools/Alz.Tools.psd1 new file mode 100644 index 00000000..b08678bc --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Tools.psd1 @@ -0,0 +1,172 @@ +#!/usr/bin/pwsh + +# +# Module manifest for module 'Alz.Tools' +# +# Generated by: krowlandson +# +# Generated on: 14/07/2022 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Alz.Tools.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0' + + # Supported PSEditions + CompatiblePSEditions = 'Core', 'Desktop' + + # ID used to uniquely identify this module + GUID = '2c90f23f-c69e-4819-81be-cf67450c2e39' + + # Author of this module + Author = 'krowlandson' + + # Company or vendor of this module + CompanyName = 'Microsoft Ltd' + + # Copyright statement for this module + Copyright = 'Copyright (c) 2022 Microsoft Ltd. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'This module provides a set of functions used for managing the Azure landing zones code base.' + + # Minimum version of the PowerShell engine required by this module + PowerShellVersion = '7.0' + + # Name of the PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # ClrVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + RequiredModules = @( + @{ + ModuleName = 'Az.Accounts' + ModuleVersion = '2.9.0' + } + @{ + ModuleName = 'Az.Resources' + ModuleVersion = '5.6.0' + } + ) + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + NestedModules = @( + @{ModuleName = 'Alz.Enums/Alz.Enums'; ModuleVersion = '1.0.0'; GUID = 'bccc040b-857d-4ae8-bebf-31dd454e4855' } + @{ModuleName = 'Alz.Classes/Alz.Classes'; ModuleVersion = '1.0.0'; GUID = '14f47ea8-53df-4b13-b7b4-73ecda225c0a' } + ) + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @( + 'Add-Escaping' + 'ConvertTo-ArmTemplateResource' + 'ConvertTo-LibraryArtifact' + 'Edit-LineEndings' + 'Export-LibraryArtifact' + 'Invoke-RemoveDeploymentByPattern' + 'Invoke-RemoveMgHierarchy' + 'Invoke-RemoveOrphanedRoleAssignment' + 'Invoke-RemoveRsgByPattern' + 'Invoke-UpdateCacheInModule' + 'Invoke-UseCacheFromModule' + 'Set-AzureSubscriptionAlias' + 'Remove-Escaping' + ) + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + ModuleList = @( + 'Alz.Enums' + 'Alz.Classes' + ) + + # List of all files packaged with this module + FileList = @( + 'Alz.Enums/Alz.Enum.psd1' + 'Alz.Enums/Alz.Enum.psm1' + 'Alz.Classes/Alz.Classes.psd1' + 'Alz.Classes/Alz.Classes.psm1' + 'functions/Alz.Tools.ps1' + 'scripts/Update-ProviderApiVersionsZip.ps1' + 'Alz.Tools.psd1' + 'Alz.Tools.psm1' + ) + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' + +} + diff --git a/dependencies/Alz.Tools/Alz.Tools.psm1 b/dependencies/Alz.Tools/Alz.Tools.psm1 new file mode 100644 index 00000000..8a301800 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Tools.psm1 @@ -0,0 +1,23 @@ +#!/usr/bin/pwsh + +$ErrorActionPreference = "Stop" +# Set-StrictMode -Version 3.0 + +########################### +# Import module functions # +########################### + +# Dot source all functions located in the module +# Excludes tests and profiles + +$functions = @() +$functions += Get-ChildItem -Path $PSScriptRoot\functions\*.ps1 -Exclude *.tests.ps1, *profile.ps1 -ErrorAction SilentlyContinue +$functions.foreach({ + try { + Write-Verbose "Dot sourcing [$($_.FullName)]" + . $_.FullName + } + catch { + throw "Unable to dot source [$($_.FullName)]" + } +}) diff --git a/dependencies/Alz.Tools/ProviderApiVersions.zip b/dependencies/Alz.Tools/ProviderApiVersions.zip new file mode 100644 index 00000000..4ed67954 Binary files /dev/null and b/dependencies/Alz.Tools/ProviderApiVersions.zip differ diff --git a/dependencies/Alz.Tools/functions/Alz.Tools.ps1 b/dependencies/Alz.Tools/functions/Alz.Tools.ps1 new file mode 100644 index 00000000..8198aebd --- /dev/null +++ b/dependencies/Alz.Tools/functions/Alz.Tools.ps1 @@ -0,0 +1,786 @@ +#!/usr/bin/pwsh + +using module "../Alz.Enums/" +using module "../Alz.Classes/" + +############################################### +# Configure PSScriptAnalyzer rule suppression # +############################################### + +# The following SuppressMessageAttribute entries are used to surpress +# PSScriptAnalyzer tests against known exceptions as per: +# https://github.com/powershell/psscriptanalyzer#suppressing-rules +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'Function targets multiple line endings', Scope = 'Function', Target = 'Edit-LineEndings')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '', Justification = 'Function does not change system state', Scope = 'Function', Target = 'Remove-Escaping')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'SleepForSeconds', Justification = 'Used in child process', Scope = 'Function', Target = 'Invoke-RemoveMgHierarchy')] +param () + +####################################### +# Common variables used within module # +####################################### + +[Int]$jsonDepth = 100 + +[Regex]$regex_schema_deploymentParameters = "http[s]?:\/\/schema\.management\.azure\.com\/schemas\/([0-9-]{10})\/deploymentParameters\.json#" +[Regex]$regex_schema_managementGroupDeploymentTemplate = "http[s]?:\/\/schema\.management\.azure\.com\/schemas\/([0-9-]{10})\/managementGroupDeploymentTemplate\.json#" +[Regex]$regex_firstLeftSquareBrace = "(?<=`")(\[)" +[Regex]$regex_escapedLeftSquareBrace = "(?<=`")(\[\[)" +[Regex]$regex_subscriptionAlias = "(?[\w-]+?)-(?\w+)-?(?[1-2]?[0-9]?[0-9])?$" + +[String[]]$allowedResourceTypes = @( + "Microsoft.Authorization/policyAssignments" + "Microsoft.Authorization/policyDefinitions" + "Microsoft.Authorization/policySetDefinitions" + "Microsoft.Authorization/roleAssignments" + "Microsoft.Authorization/roleDefinitions" + "Microsoft.Management/managementGroups" + "Microsoft.Management/managementGroups/subscriptions" +) + +[String[]]$removePolicyEscapingByFormat = @( + "Terraform" + "Bicep" +) + +[String[]]$removePolicySetEscapingByFormat = @( + "Terraform" +) + +[String[]]$removeResourceEscapingByFormat = @( + "Terraform" +) + +################################ +# Functions used within module # +################################ + +function ProcessObjectByResourceType { + [CmdletBinding()] + [OutputType([Object])] + param ( + [Parameter()][Object]$ResourceObject, + [Parameter()][String]$ResourceType + ) + try { + switch ($ResourceType.ToLower()) { + "microsoft.authorization/policyassignments" { + $outputObject = [PolicyAssignment]::new($ResourceObject) + } + "microsoft.authorization/policydefinitions" { + $outputObject = [PolicyDefinition]::new($ResourceObject) + } + "microsoft.authorization/policysetdefinitions" { + $outputObject = [PolicySetDefinition]::new($ResourceObject) + } + "microsoft.authorization/roleassignments" { + $outputObject = [RoleAssignment]::new($ResourceObject) + } + "microsoft.authorization/roledefinitions" { + $outputObject = [RoleDefinition]::new($ResourceObject) + } + Default { + Write-Warning "Unsupported resource type: $($ResourceType)" + $outputObject = $ResourceObject + } + } + } + catch [System.Management.Automation.RuntimeException] { + Write-Error $_.Exception.Message + } + + return $outputObject + +} + +function Add-Escaping { + [CmdletBinding()] + param ( + [Parameter()][Object]$InputObject + ) + + # A number of sources store the required definition in variables + # which use escaping for ARM functions so they are correctly + # processed within copy_loops. These may need to be added when + # converting from a native ARM template. + $output = $InputObject | + ConvertTo-Json -Depth $jsonDepth | + ForEach-Object { $_ -replace $regex_firstLeftSquareBrace, "[[" } | + ConvertFrom-Json + + return $output +} + +function Remove-Escaping { + [CmdletBinding()] + param ( + [Parameter()][Object]$InputObject + ) + + # A number of sources store the required definition in variables + # which use escaping for ARM functions so they are correctly + # processed within copy_loops. These may need to be removed when + # converting to a native ARM template. + $output = $InputObject | + ConvertTo-Json -Depth $jsonDepth | + ForEach-Object { $_ -replace $regex_escapedLeftSquareBrace, "[" } | + ConvertFrom-Json + + return $output +} + +function GetObjectByResourceTypeFromJson { + [CmdletBinding()] + [OutputType([Object])] + param ( + [Parameter()][String]$Id, + [Parameter()][String[]]$InputJSON, + [Parameter()][ExportFormat]$ExportFormat + ) + + # Try catch is used to gracefully handle type conversion errors when the input contains invalid JSON + try { + $objectFromJson = $InputJSON | ConvertFrom-Json -ErrorAction Stop + } + catch { + throw $_.Exception.Message + } + + # The following block handles processing files in the format generated by the AzOps output + # e.g. azopsreference/ folder in Azure/Enterprise-Scale repository + if ($regex_schema_deploymentParameters.IsMatch($objectFromJson."`$schema")) { + if ($objectFromJson.parameters.input.value.ResourceType) { + ProcessObjectByResourceType ` + -ResourceObject ($objectFromJson.parameters.input.value) ` + -ResourceType ($objectFromJson.parameters.input.value.ResourceType) + } + } + # The following block handles processing files in the format used by the ALZ reference deployments + # e.g. eslzArm/managementGroupTemplates/policyDefinitions/ folder in Azure/Enterprise-Scale repository + elseif ($regex_schema_managementGroupDeploymentTemplate.IsMatch($objectFromJson."`$schema")) { + foreach ($policyDefinition in $objectFromJson.variables.policies.policyDefinitions) { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removePolicyEscapingByFormat ? (Remove-Escaping -InputObject $policyDefinition) : $policyDefinition) ` + -ResourceType ("Microsoft.Authorization/policyDefinitions") + } + foreach ($policySetDefinition in $objectFromJson.variables.initiatives.policySetDefinitions) { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removePolicySetEscapingByFormat ? (Remove-Escaping -InputObject $policySetDefinition) : $policySetDefinition) ` + -ResourceType ("Microsoft.Authorization/policySetDefinitions") + } + foreach ( + $policyDefinition in $objectFromJson.resources | + Where-Object { $_.type -eq "Microsoft.Authorization/policyDefinitions" } | + Where-Object { $_.name -ne "[variables('policies').policyDefinitions[copyIndex()].name]" } + ) { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removePolicyEscapingByFormat ? (Remove-Escaping -InputObject $policyDefinition) : $policyDefinition) ` + -ResourceType ("Microsoft.Authorization/policyDefinitions") + } + foreach ( + $policySetDefinition in $objectFromJson.resources | + Where-Object { $_.type -eq "Microsoft.Authorization/policySetDefinitions" } | + Where-Object { $_.name -ne "[variables('initiatives').policySetDefinitions[copyIndex()].name]" } + ) { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removePolicySetEscapingByFormat ? (Remove-Escaping -InputObject $policySetDefinition) : $policySetDefinition) ` + -ResourceType ("Microsoft.Authorization/policySetDefinitions") + } + } + # The following elseif block handles all policy definitions stored in ARM template format + elseif ($objectFromJson.type -eq "Microsoft.Authorization/policyDefinitions") { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removePolicyEscapingByFormat ? (Remove-Escaping -InputObject $objectFromJson) : $objectFromJson) ` + -ResourceType $objectFromJson.type + } + # The following elseif block handles all policy set definitions stored in ARM template format + elseif ($objectFromJson.type -eq "Microsoft.Authorization/policySetDefinitions") { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removePolicySetEscapingByFormat ? (Remove-Escaping -InputObject $objectFromJson) : $objectFromJson) ` + -ResourceType $objectFromJson.type + } + # The following elseif block handles all other allowed resource types stored in ARM template format + elseif ($objectFromJson.type -in $allowedResourceTypes) { + ProcessObjectByResourceType ` + -ResourceObject ($ExportFormat -in $removeResourceEscapingByFormat ? (Remove-Escaping -InputObject $objectFromJson) : $objectFromJson) ` + -ResourceType $objectFromJson.type + } + # The following block handles processing generic files where the source content is unknown + # High probability of incorrect format if this happens. + else { + Write-Warning "Unable to find converter for input object: $Id" + } + +} + +function ProcessFile { + [CmdletBinding()] + param ( + [Parameter()][String]$FilePath, + [Parameter()][ExportFormat]$ExportFormat + ) + + $content = Get-Content -Path $FilePath + + $output = GetObjectByResourceTypeFromJson ` + -Id $FilePath ` + -InputJSON $content ` + -ExportFormat $ExportFormat + + return $output +} + +function Invoke-UseCacheFromModule { + param ( + [String]$Directory = "./" + ) + [ProviderApiVersions]::LoadCacheFromDirectory($Directory) +} + +function Invoke-UpdateCacheInModule { + param ( + [String]$Directory = "./" + ) + [ProviderApiVersions]::SaveCacheToDirectory($Directory) +} + +function Edit-LineEndings { + [CmdletBinding()] + [OutputType([String[]])] + param ( + [Parameter(ValueFromPipeline = $true)] + [String[]]$InputText, + [Parameter()][LineEndingTypes]$LineEnding = "Unix" + ) + + Begin { + + Switch ("$LineEnding".ToLower()) { + "darwin" { $eol = "`r" } + "unix" { $eol = "`n" } + "win" { $eol = "`r`n" } + } + + } + + Process { + + [String[]]$outputText += $InputText | + ForEach-Object { $_ -replace "`r`n", "`n" } | + ForEach-Object { $_ -replace "`r", "`n" } | + ForEach-Object { $_ -replace "`n", "$eol" } + + } + + End { + + return $outputText + + } + +} + +function ConvertTo-ArmTemplateResource { + [CmdletBinding()] + param ( + [Parameter()][String]$FilePath, + [Parameter()][ExportFormat]$ExportFormat = "Raw", + [Parameter()][Switch]$AsJson + ) + + $content = ProcessFile ` + -FilePath $FilePath ` + -ExportFormat $ExportFormat + + $output = $content.Format($ExportFormat) + + if ($AsJson) { + return $output | ConvertTo-Json -Depth $jsonDepth + } + else { + return $output + } + +} + +function ConvertTo-LibraryArtifact { + [CmdletBinding()] + param ( + [Parameter()][String[]]$InputPath, + [Parameter()][String]$InputFilter = "*.json", + [Parameter()][String]$OutputPath = "./", + [Parameter()][String]$FileNamePrefix = "", + [Parameter()][String]$FileNameSuffix = ".json", + [Parameter()][ExportFormat]$ExportFormat = "Raw", + [Parameter()][Switch]$Recurse + ) + $inputFiles = foreach ($path in $InputPath) { + Get-ChildItem -Path $path -Recurse:$Recurse -Filter $InputFilter + } + + [Object[]]$outputItems = foreach ($inputFile in $inputFiles) { + $content = ProcessFile ` + -FilePath $inputFile.FullName ` + -ExportFormat $ExportFormat + foreach ($item in $content | Where-Object { $_ }) { + [PSCustomObject]@{ + InputFilePath = $inputFile.FullName + OutputFilePath = ($OutputPath + "/" + $item.GetFileName($FileNamePrefix, $FileNameSuffix, $ExportFormat)) -replace "//", "/" + OutputTemplate = $item.Format($ExportFormat) + } + } + } + + return $outputItems + +} + +function Export-LibraryArtifact { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()][String[]]$InputPath, + [Parameter()][String]$InputFilter = "*.json", + [ValidateScript({ $_.foreach({ $_ -in $allowedResourceTypes }) })] + [Parameter()][String[]]$ResourceTypeFilter = @(), + [Parameter()][String]$OutputPath = "./", + [Parameter()][String]$FileNamePrefix = "", + [Parameter()][String]$FileNameSuffix = ".json", + [Parameter()][LineEndingTypes]$LineEnding = "Unix", + [Parameter()][ExportFormat]$ExportFormat = "Raw", + [Parameter()][Switch]$Recurse + ) + + $libraryArtifacts = ConvertTo-LibraryArtifact ` + -InputPath $InputPath ` + -InputFilter $InputFilter ` + -OutputPath $OutputPath ` + -FileNamePrefix $FileNamePrefix ` + -FileNameSuffix $FileNameSuffix ` + -ExportFormat $ExportFormat ` + -Recurse:$Recurse + + if ($ResourceTypeFilter.Length -eq 0) { + Write-Verbose "Using default ResourceTypeFilter. Will process all valid resource types." + $ResourceTypeFilter = [ProviderApiVersions]::ListTypes() + } + else { + Write-Verbose "Using custom ResourceTypeFilter. Will process the following resource types:`n $($ResourceTypeFilter.foreach({" - " + $_ +"`n"}))" + } + + foreach ($libraryArtifact in $libraryArtifacts) { + $libraryArtifactMessage = ("Processing file... `n" + ` + " - Input : $($libraryArtifact.InputFilePath) `n" + ` + " - Output : $($libraryArtifact.OutputFilePath)") + + if ($libraryArtifact.OutputTemplate.type -in $ResourceTypeFilter) { + if ($PSCmdlet.ShouldProcess($libraryArtifact.OutputFilePath)) { + $libraryArtifactFile = $libraryArtifact.OutputTemplate | + ConvertTo-Json -Depth $jsonDepth | + Edit-LineEndings -LineEnding $LineEnding | + New-Item -Path $libraryArtifact.OutputFilePath -ItemType File -Force + $libraryArtifactMessage += "`n [COMPLETE]" + Write-Verbose $libraryArtifactMessage + Write-Information "Output File : $($libraryArtifactFile.FullName) [COMPLETE]" -InformationAction Continue + } + } + else { + $libraryArtifactMessage += "`n [SKIPPING] Resource Type not in ResourceTypeFilter." + Write-Verbose $libraryArtifactMessage + } + } +} + +function Set-AzureSubscriptionAlias { + [CmdletBinding(SupportsShouldProcess)] + [OutputType([Object[]])] + param ( + [Parameter(Mandatory = $true, ParameterSetName = 'PutAliasWithBillingScope')] + [Parameter(Mandatory = $true, ParameterSetName = 'PutAliasWithSubscriptionId')] + [Parameter(Mandatory = $true, ParameterSetName = 'GetAliasOnly')] + [String[]]$Alias, + [Parameter(Mandatory = $true, ParameterSetName = 'PutAliasWithBillingScope')] + [String]$BillingScope, + [Parameter(Mandatory = $true, ParameterSetName = 'PutAliasWithSubscriptionId')] + [String]$SubscriptionId, + [Parameter(Mandatory = $false, ParameterSetName = 'PutAliasWithBillingScope')] + [String]$Workload = "Production", + [Parameter(Mandatory = $false, ParameterSetName = 'PutAliasWithBillingScope')] + [Parameter(Mandatory = $false, ParameterSetName = 'PutAliasWithSubscriptionId')] + [Parameter(Mandatory = $false, ParameterSetName = 'GetAliasOnly')] + [Switch]$SetParentManagementGroup, + [Parameter(Mandatory = $false, ParameterSetName = 'PutAliasWithBillingScope')] + [Parameter(Mandatory = $false, ParameterSetName = 'PutAliasWithSubscriptionId')] + [Parameter(Mandatory = $false, ParameterSetName = 'GetAliasOnly')] + [Switch]$SetAddressPrefix + ) + + # Get the latest stable API version + $aliasesApiVersion = [ProviderApiVersions]::GetLatestStableByType("Microsoft.Subscription/aliases") + Write-Information "Using Subscription Alias API Version : $($aliasesApiVersion)" -InformationAction Continue + + # Logic to determine whether to GET an existing Alias or PUT a new one + $GetExistingAlias = [string]::IsNullOrEmpty($BillingScope) -and [string]::IsNullOrEmpty($SubscriptionId) + $requestMethod = $GetExistingAlias ? "GET" : "PUT" + + # Process Alias value(s) + $aliasResponses = @() + foreach ($subscriptionName in $Alias) { + Write-Verbose "Microsoft.Subscription/aliases/$($subscriptionName) [$requestMethod]" + $requestPath = "/providers/Microsoft.Subscription/aliases/$($subscriptionName)?api-version=$($aliasesApiVersion)" + if (-not [string]::IsNullOrEmpty($BillingScope)) { + $action = "PutAliasWithBillingScope" + $requestBodyObject = @{ + properties = @{ + displayName = $subscriptionName + billingScope = $BillingScope + workload = $Workload + additionalProperties = @{} + } + } + } + elseif (-not [string]::IsNullOrEmpty($SubscriptionId)) { + $action = "PutAliasWithSubscriptionId" + $requestBodyObject = @{ + properties = @{ + subscriptionId = $SubscriptionId + additionalProperties = @{} + } + } + } + else { + $action = "GetAliasOnly" + $requestBodyObject = @{} + } + $requestBody = $requestBodyObject | ConvertTo-Json -Depth $jsonDepth + if ($PSCmdlet.ShouldProcess("$subscriptionName", "$action")) { + $aliasResponse = Invoke-AzRestMethod -Method $requestMethod -Path $requestPath -Payload $requestBody + } + else { + $aliasResponse = [ordered]@{ + StatusCode = "200 (WHAT IF)" + Method = "GET (WHAT IF)" + Content = [ordered]@{ + id = "/providers/Microsoft.Subscription/aliases/$subscriptionName" + name = "$subscriptionName" + type = "Microsoft.Subscription/aliases" + properties = [ordered]@{ + subscriptionId = "00000000-0000-0000-0000-000000000000" + provisioningState = "Succeeded" + } + } | ConvertTo-Json -Depth $jsonDepth + } + } + $aliasResponses += $aliasResponse + Write-Verbose "Microsoft.Subscription/aliases/$($subscriptionName) [$($aliasResponse.StatusCode)]" + } + + # For newly created Subscriptions, wait until all return StatusCode 200 and Provisioning State Succeeded + $aliasResponses | Where-Object -Property StatusCode -EQ "201" | ForEach-Object { + $aliasResponseContent = $_.Content | ConvertFrom-Json + $retryCount = 0 + $SleepSeconds = 1 + do { + $retryCount++ + $aliasResponse = Invoke-AzRestMethod -Method GET -Path "$($aliasResponseContent.id)?api-version=$($aliasesApiVersion)" + $aliasResponseContent = $aliasResponse.Content | ConvertFrom-Json + $subscriptionId = $aliasResponseContent.properties.subscriptionId + $provisioningState = $aliasResponseContent.properties.provisioningState + Write-Verbose "(Retry=$retryCount) $($aliasResponseContent.id) [$($aliasResponse.StatusCode)] [$($subscriptionId)] [$($provisioningState)]" + if (($aliasResponse.StatusCode -eq "200") -and ($provisioningState -eq "Succeeded")) { + $endLoop = $true + } + else { + Start-Sleep -Seconds $SleepSeconds + $SleepSeconds = 2 * $SleepSeconds + } + if ($retryCount -eq 10) { + $endLoop = $true + } + } until ($endLoop) + } + + # Add each subscription to the return object + $subscriptions = @() + $aliasResponses | ForEach-Object { + if ($aliasResponse.StatusCode -eq "201") { + $status = "NEW" + } + elseif ($aliasResponse.StatusCode -eq "200") { + $status = "EXISTING" + } + elseif ($aliasResponse.StatusCode -eq "200 (WHAT IF)") { + $status = "WHAT IF" + } + else { + $status = "UNKNOWN" # Consider whether to throw an error here + } + $subscription = $_.Content | ConvertFrom-Json + $subscriptions += $subscription + Write-Information "[$status] Subscription Alias : $($subscription.name) [$($subscription.properties.subscriptionId)]" -InformationAction Continue + } + + # Determine the parent management group if SetParentManagementGroup is specified + if ($SetParentManagementGroup) { + foreach ($subscription in $subscriptions) { + $scope = $regex_subscriptionAlias.Matches($subscription.name)[0].Groups['scope'].Value + Write-Information "Set parent management group : $($subscription.name) [$scope]" -InformationAction Continue + $subscription | Add-Member -Type NoteProperty -Name parentManagementGroup -Value $scope + } + } + + # Determine the assigned address prefix if SetAddressPrefix is specified + if ($SetAddressPrefix) { + $secondOctetFallback = 100 + $secondOctetLog = @() + foreach ($subscription in $subscriptions) { + $secondOctetValue = $regex_subscriptionAlias.Matches($subscription.name)[0].Groups['secondOctet'].Value + $secondOctet = [string]::IsNullOrEmpty($secondOctetValue) ? $secondOctetFallback : $secondOctetValue + if ($secondOctet -in $secondOctetLog) { + throw "Overlapping address space (at secondOctet) detected." + } + if ($secondOctet -in $secondOctetFallback) { + $secondOctetFallback += 10 + } + $addressPrefix = "10.$secondOctet.0.0/24" + Write-Information "Set address prefix : $($subscription.name) [$addressPrefix]" -InformationAction Continue + $subscription | Add-Member -Type NoteProperty -Name addressPrefix -Value $addressPrefix + } + } + + return $subscriptions + +} + +function Invoke-RemoveRsgByPattern { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()][String[]]$SubscriptionId, + [Parameter()][String]$Like + ) + + $originalCtx = Get-AzContext + + $WhatIfPrefix = "" + if ($WhatIfPreference) { + $WhatIfPrefix = "What if: " + } + + $jobs = @() + foreach ($subId in $SubscriptionId) { + Set-AzContext -SubscriptionId $subId -WhatIf:$false | Out-Null + + $resourcesGroups = Get-AzResourceGroup | Where-Object -Property "ResourceGroupName" -Like $Like + + Write-Information "$($WhatIfPrefix)Deleting [$($resourcesGroups.Length)] Resource Groups for Subscription [$($subId)] matching pattern [$($Like)]" -InformationAction Continue + + if ($resourcesGroups.Length -gt 0) { + if ($PSCmdlet.ShouldProcess($($resourcesGroups.ResourceGroupName | ConvertTo-Json -Compress), "Remove-AzResourceGroup")) { + $jobs += $resourcesGroups | Remove-AzResourceGroup -AsJob -Force + } + } + + } + + Set-AzContext $originalCtx -WhatIf:$false | Out-Null + + return $jobs + +} + +function Invoke-RemoveDeploymentByPattern { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()][String[]]$SubscriptionId, + [Parameter()][String[]]$ManagementGroupId, + [Parameter()][String]$Like, + [Parameter()][Switch]$IncludeTenantScope + ) + + $originalCtx = Get-AzContext + + $WhatIfPrefix = "" + if ($WhatIfPreference) { + $WhatIfPrefix = "What if: " + } + + $jobs = @() + + foreach ($subId in $SubscriptionId) { + Set-AzContext -SubscriptionId $subId -WhatIf:$false | Out-Null + + $deployments = Get-AzSubscriptionDeployment | Where-Object -Property "DeploymentName" -Like $Like + + Write-Information "$($WhatIfPrefix)Deleting [$($deployments.Length)] Deployments for Subscription [$($subId)] matching pattern [$($Like)]" -InformationAction Continue + + if ($deployments.Length -gt 0) { + if ($PSCmdlet.ShouldProcess($($deployments.DeploymentName | ConvertTo-Json -Compress), "Remove-AzSubscriptionDeployment")) { + $jobs += $deployments | Remove-AzSubscriptionDeployment -AsJob + } + } + + } + + foreach ($mgId in $ManagementGroupId) { + $deployments = Get-AzManagementGroupDeployment -ManagementGroupId $mgId | Where-Object -Property "DeploymentName" -Like $Like + + Write-Information "$($WhatIfPrefix)Deleting [$($deployments.Length)] Deployments for Management Group [$($mgId)] matching pattern [$($Like)]" -InformationAction Continue + + if ($deployments.Length -gt 0) { + if ($PSCmdlet.ShouldProcess($($deployments.DeploymentName | ConvertTo-Json -Compress), "Remove-AzManagementGroupDeployment")) { + $jobs += $deployments | Remove-AzManagementGroupDeployment -AsJob + } + } + + } + + if ($IncludeTenantScope) { + $deployments = Get-AzTenantDeployment | Where-Object -Property "DeploymentName" -Like $Like + + Write-Information "$($WhatIfPrefix)Deleting [$($deployments.Length)] Deployments for Tenant [$($originalCtx.Tenant.Id)] matching pattern [$($Like)]" -InformationAction Continue + + if ($deployments.Length -gt 0) { + if ($PSCmdlet.ShouldProcess($($deployments.DeploymentName | ConvertTo-Json -Compress), "Remove-AzTenantDeployment")) { + $jobs += $deployments | Remove-AzTenantDeployment -AsJob + } + } + + } + + Set-AzContext $originalCtx -WhatIf:$false | Out-Null + + return $jobs + +} + +function Invoke-RemoveOrphanedRoleAssignment { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()][String[]]$SubscriptionId + ) + + $originalCtx = Get-AzContext + + $WhatIfPrefix = "" + if ($WhatIfPreference) { + $WhatIfPrefix = "What if: " + } + + # Get the latest stable API version + $roleAssignmentsApiVersion = [ProviderApiVersions]::GetLatestStableByType("Microsoft.Authorization/roleAssignments") + Write-Information "Using Role Assignments API Version : $($roleAssignmentsApiVersion)" -InformationAction Continue + + foreach ($subId in $SubscriptionId) { + + # Use Rest API to ensure correct permissions are assigned when looking up + # whether identity exists, otherwise Get-AzRoleAssignment will always + # return `objectType : "unknown"` for all assignments with no errors. + + # Get Role Assignments + $getRequestPath = "/subscriptions/$($subId)/providers/Microsoft.Authorization/roleAssignments?api-version=$($roleAssignmentsApiVersion)" + $getResponse = Invoke-AzRestMethod -Method "GET" -Path $getRequestPath + $roleAssignments = ($getResponse.Content | ConvertFrom-Json).value + + # Check for valid response + if ($getResponse.StatusCode -ne "200") { + throw $getResponse.Content + } + try { + # If invalid response, $roleAssignments will be null and throw an error + $roleAssignments.GetType() | Out-Null + } + catch { + throw $getResponse.Content + } + + # Get a list of assigned principalId values and lookup against AAD + $principalsRequestUri = "https://graph.microsoft.com/v1.0/directoryObjects/microsoft.graph.getByIds" + $principalsRequestBody = @{ + ids = $roleAssignments.properties.principalId + } | ConvertTo-Json -Depth $jsonDepth + $principalsResponse = Invoke-AzRestMethod -Method "POST" -Uri $principalsRequestUri -Payload $principalsRequestBody -WhatIf:$false + $principalIds = ($principalsResponse.Content | ConvertFrom-Json).value.id + + # Find all Role Assignments where the principalId is not found in AAD + $orphanedRoleAssignments = $roleAssignments | Where-Object { + ($_.properties.scope -eq "/subscriptions/$($subId)") -and + ($_.properties.principalId -notin $principalIds) + } + + # Delete orphaned Role Assignments + Write-Information "$($WhatIfPrefix)Deleting [$($orphanedRoleAssignments.Length)] orphaned Role Assignments for Subscription [$($subId)]" -InformationAction Continue + $orphanedRoleAssignments | ForEach-Object { + if ($PSCmdlet.ShouldProcess("$($_.id)", "Remove-AzRoleAssignment")) { + $deleteRequestPath = "$($_.id)?api-version=$($roleAssignmentsApiVersion)" + $deleteResponse = Invoke-AzRestMethod -Method "DELETE" -Path $deleteRequestPath + # Check for valid response + if ($deleteResponse.StatusCode -ne "200") { + throw $deleteResponse.Content + } + } + } + + } + + Set-AzContext $originalCtx -WhatIf:$false | Out-Null + +} + +function Invoke-RemoveMgHierarchy { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()][String[]]$ManagementGroupId + ) + + $InvokeRemoveMgHierarchy = ${function:Invoke-RemoveMgHierarchy}.ToString() + + $ctx = Get-AzContext + + $WhatIfPrefix = "" + if ($WhatIfPreference) { + $WhatIfPrefix = "What if: " + } + + # Get list of existing Management Groups + $managementGroupIds = (Get-AzManagementGroup).Name + + Write-Information ("$($WhatIfPrefix)Removing Management Group Hierarchy in batch: {0}" -f $($ManagementGroupId | ConvertTo-Json -Compress)) -InformationAction Continue + + # Log warning for non-existing Management Group + $ManagementGroupId | Where-Object { $_ -notin $managementGroupIds } | ForEach-Object { + Write-Warning "'/providers/Microsoft.Management/managementGroups/$_' not found" + } + + # Process existing Management Groups + $ManagementGroupId | Where-Object { $_ -in $managementGroupIds } | ForEach-Object -Parallel { + + # Set WhatIfPreference from parent session + $WhatIfPreference = $using:WhatIfPreference + + # Parse functions from parent session + ${function:Invoke-RemoveMgHierarchy} = $using:InvokeRemoveMgHierarchy + + # Set Azure context from parent session + Set-AzContext -Context $using:ctx | Out-Null + + # Get expanded properties of current Management Group + $managementGroup = Get-AzManagementGroup -GroupId $_ -Expand -WarningAction SilentlyContinue + + # Process child Subscriptions under the current Management Group scope + $childSubs = ($managementGroup.Children | Where-Object { $_.Type -eq "/subscriptions" }).Name + foreach ($childSub in $childSubs) { + Remove-AzManagementGroupSubscription -SubscriptionId $childSub -GroupName $managementGroup.Name -WhatIf:$WhatIfPreference -WarningAction SilentlyContinue + Write-Output "/subscriptions/$childSub" + } + + # Process child Management Groups under the current Management Group scope + $childMgs = ($managementGroup.Children | Where-Object { $_.Type -match "^(\/providers\/)?(Microsoft\.Management\/managementGroups)$" }).Name + if ($childMgs.Length -gt 0) { + Invoke-RemoveMgHierarchy -ManagementGroupId $childMgs + } + + Remove-AzManagementGroup -GroupId $_ -WhatIf:$WhatIfPreference -WarningAction SilentlyContinue | Out-Null + + Write-Output "/providers/Microsoft.Management/managementGroups/$_" + + } + +} diff --git a/dependencies/Alz.Tools/scripts/Update-ProviderApiVersionsZip.ps1 b/dependencies/Alz.Tools/scripts/Update-ProviderApiVersionsZip.ps1 new file mode 100644 index 00000000..6a147f37 --- /dev/null +++ b/dependencies/Alz.Tools/scripts/Update-ProviderApiVersionsZip.ps1 @@ -0,0 +1,28 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Update the ProviderApiVersions.zip file stored in the module +# +# Requires an authentication session PowerShell session to Azure +# and should be run from the same location as the script unless +# the -Directory parameter is specified. +# + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()][String]$AlzToolsPath = "$PWD/src/Alz.Tools" +) + +$ErrorActionPreference = "Stop" + +# This script relies on a custom set of classes and functions +# defined within the Alz.Tools PowerShell module. +Import-Module $AlzToolsPath + +Write-Information "Updating ProviderApiVersions in module." -InformationAction Continue +if ($PSCmdlet.ShouldProcess($AlzToolsPath)) { + Invoke-UpdateCacheInModule($AlzToolsPath) +} + +Write-Information "... Complete" -InformationAction Continue diff --git a/dependencies/infra-as-code/bicep/CRML/README.md b/dependencies/infra-as-code/bicep/CRML/README.md new file mode 100644 index 00000000..6f68d303 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/README.md @@ -0,0 +1,9 @@ +# Why Does This Directory Exist & Contain Other Bicep Modules? + +Good question! This directory exists to host modules that are **not** specific to the Azure Landing Zones modules that are contained within the `infra-as-code/bicep/modules` directory. + +The modules inside this directory, `infra-as-code/bicep/CRML` are modules that we are potentially planning, at some point in time, to remove from this repo and migrate/consume them from the [Common Azure Resource Modules Library repo](https://github.com/Azure/ResourceModules) when features like the Bicep Public Module Registry exists. + +> These are only plans/aspirations at this stage, but we are sharing with you for clarity 👍 + +These modules are consumed and called by other modules within this repo. For example, the `customerUsageAttribution` module is called in all modules as you can see from each of those modules `.bicep` files. \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md b/dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md new file mode 100644 index 00000000..b2746b94 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md @@ -0,0 +1,62 @@ +# Module: Container Registry + +This module creates an Azure Container Registry to store private Bicep Modules. + +Module deploys the following resources: + +- Azure Container Registry + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/containerRegistry.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| -------------- | ------ | --------------------------- | +| outLoginServer | string | acr5cix6w3rcizna.azurecr.io | + +## Deployment + +In this example, the Azure Container Registry will be deployed to the resource group specified. + +We will take the default values and not pass any parameters. + +> For the below examples we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-ContainerRegistry-${dateYMD}" +RESOURCEGROUP="rg-bicep-acr" +PARAMETERS="@infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json" +TEMPLATEFILE="infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep" + +az group create --location eastus \ + --name rg-bicep-acr + +az deployment group create --name ${NAME:0:63} --resource-group $RESOURCEGROUP --parameters $PARAMETERS --template-file $TEMPLATEFILE +``` + +### PowerShell + +```powershell +New-AzResourceGroup -Name 'rg-bicep-acr' ` + -Location 'EastUs' + + $inputObject = @{ + DeploymentName = 'alz-ContainerRegistry-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = 'rg-bicep-acr' + TemplateParameterFile = 'infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json' + TemplateFile = "infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep" +} + +New-AzResourceGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep b/dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep new file mode 100644 index 00000000..11d4134e --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep @@ -0,0 +1,43 @@ +/* +SUMMARY: Deploys Private Azure Container Registry to store Bicep modules. +DESCRIPTION: + Deploys Private Azure Container Registry to store Bicep modules. + * Azure Container Registry + + +AUTHOR/S: aultt +VERSION: 1.0.0 +*/ + +metadata name = 'ALZ Bicep CRML - Container Registry Module' +metadata description = 'Module to create an Azure Container Registry to store private Bicep Modules' + +@minLength(5) +@maxLength(50) +@sys.description('Provide a globally unique name of your Azure Container Registry') +param parAcrName string = 'acr${uniqueString(resourceGroup().id)}' + +@sys.description('Provide a location for the registry.') +param parLocation string = resourceGroup().location + +@sys.description('Provide a tier of your Azure Container Registry.') +param parAcrSku string = 'Basic' + +@sys.description('Tags to be applied to resource when deployed. Default: None') +param parTags object ={} + +resource resAzureContainerRegistry 'Microsoft.ContainerRegistry/registries@2022-12-01' = { + name: parAcrName + tags: parTags + location: parLocation + sku: { + name: parAcrSku + } + properties: { + adminUserEnabled: false + } +} + +@sys.description('Output the login server property for later use') +output outLoginServer string = resAzureContainerRegistry.properties.loginServer + diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md b/dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md new file mode 100644 index 00000000..0e3e2dfe --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md @@ -0,0 +1,76 @@ +# ALZ Bicep CRML - Container Registry Module + +Module to create an Azure Container Registry to store private Bicep Modules + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAcrName | No | Provide a globally unique name of your Azure Container Registry +parLocation | No | Provide a location for the registry. +parAcrSku | No | Provide a tier of your Azure Container Registry. +parTags | No | Tags to be applied to resource when deployed. Default: None + +### parAcrName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide a globally unique name of your Azure Container Registry + +- Default value: `[format('acr{0}', uniqueString(resourceGroup().id))]` + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide a location for the registry. + +- Default value: `[resourceGroup().location]` + +### parAcrSku + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide a tier of your Azure Container Registry. + +- Default value: `Basic` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags to be applied to resource when deployed. Default: None + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outLoginServer | string | Output the login server property for later use + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/containerRegistry/containerRegistry.json" + }, + "parameters": { + "parAcrName": { + "value": "[format('acr{0}', uniqueString(resourceGroup().id))]" + }, + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parAcrSku": { + "value": "Basic" + }, + "parTags": { + "value": {} + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png new file mode 100644 index 00000000..49153308 Binary files /dev/null and b/dependencies/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json b/dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json new file mode 100644 index 00000000..7b5c3de8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json @@ -0,0 +1,17 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parAcrSku": { + "value": "Basic" + }, + "parTags": { + "value": { + "Environment": "Live" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md new file mode 100644 index 00000000..4fd12afd --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md @@ -0,0 +1,21 @@ +# Module: PID + +This module creates a blank deployment which will be called from other modules. The purpose of this deployment is to create a deployment name to be used for Azure [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). To disable this, please see [How to disable Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/ALZ-Bicep/wiki/CustomerUsage) + +This module does not deploy any resources + +## Parameters + +This module does not require any inputs + +## Outputs + +The module does not generate any outputs + +| Output | Type | Example | +| ------ | ---- | ------- | + +## Deployment + +This module is intended to be called from other modules as a reusable resource. + diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep new file mode 100644 index 00000000..4e6cded2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Management Group deployments. +DESCRIPTION: This module will create a deployment at the management group level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'managementGroup' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep new file mode 100644 index 00000000..b90f9af4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Resource Group deployments. +DESCRIPTION: This module will create a deployment at the Resource Group level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'resourceGroup' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep new file mode 100644 index 00000000..e11e553c --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Subscription deployments. +DESCRIPTION: This module will create a deployment at the Subscription level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'subscription' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep new file mode 100644 index 00000000..a53487c9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Tenant deployments. +DESCRIPTION: This module will create a deployment at the Tenant level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'tenant' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md new file mode 100644 index 00000000..f7f5589f --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md new file mode 100644 index 00000000..460a655e --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md new file mode 100644 index 00000000..e8ae6f94 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md new file mode 100644 index 00000000..58bf6942 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md new file mode 100644 index 00000000..5586a80a --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md @@ -0,0 +1,64 @@ +# Module: Subscription Alias + +> **IMPORTANT:** We recommend moving to using the [Bicep Subscription Vending Module](https://aka.ms/sub-vending/bicep) instead of this module! + +The Subscription Alias module deploys an Azure Subscription into an existing billing scope that can be from an EA, MCA or MPA as documented in [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription). + +> Please review the [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription) documentation as well as the documentation here [Assign roles to Azure Enterprise Agreement service principal names](https://learn.microsoft.com/azure/cost-management-billing/manage/assign-roles-azure-service-principals) for information on how this works and how to create and assign permissions to a SPN to allow it to create Subscriptions for you as part of a pipeline etc. + +The Subscription will be created and placed under the Tenant Root Group, unless the default Management Group has been changed as per [Setting - Default management group](https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/subscriptionAlias.bicep.md) + +## Outputs + +The module will generate the following outputs: + +Output | Type | Example +------ | ---- | -------- +outSubscriptionName | string | `sub-example-001` +outSubscriptionId | string | `5583f55f-65b2-4a3a-87c9-e499c1c587c0` + +## Deployment + +> **Important Note:** There are 2 parameter files examples provided in the `/parameters` folder of this module. One that contains examples of all possible parameters and another that only contains the minimum required parameters. The minimum version is used in the below examples. + +In this example, the Subscription is created upon an EA Account through a tenant-scoped deployment. + +> For the below examples we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +```bash + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SubscriptionAlias-${dateYMD}" +LOCATION="eastus" +PARAMETERS="@infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json" +TEMPLATEFILE="infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep" + +az deployment tenant create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell + +$inputObject = @{ + DeploymentName = 'alz-SubscriptionAlias-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + TemplateParameterFile = 'infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json' + Location = 'EastUS' + TemplateFile = "infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep" +} + +New-AzTenantDeployment @inputObject +``` + +### Output Screenshot + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md new file mode 100644 index 00000000..6510148c --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md @@ -0,0 +1,107 @@ +# ALZ Bicep CRML - Subscription Alias Module + +Module to deploy an Azure Subscription into an existing billing scope that can be from an EA, MCA or MPA + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSubscriptionName | Yes | Name of the subscription to be created. Will also be used as the alias name. Whilst you can use any name you like we recommend it to be: all lowercase, no spaces, alphanumeric and hyphens only. +parSubscriptionBillingScope | Yes | The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. +parTags | No | Tags you would like to be applied. +parManagementGroupId | No | The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional) +parSubscriptionOwnerId | No | The object ID of a responsible user, AAD group or service principal. (Optional) +parSubscriptionOfferType | No | The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production +parTenantId | No | The ID of the tenant. Defaults to = tenant().tenantId + +### parSubscriptionName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Name of the subscription to be created. Will also be used as the alias name. Whilst you can use any name you like we recommend it to be: all lowercase, no spaces, alphanumeric and hyphens only. + +### parSubscriptionBillingScope + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied. + +### parManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional) + +### parSubscriptionOwnerId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The object ID of a responsible user, AAD group or service principal. (Optional) + +### parSubscriptionOfferType + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production + +- Default value: `Production` + +- Allowed values: `DevTest`, `Production` + +### parTenantId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The ID of the tenant. Defaults to = tenant().tenantId + +- Default value: `[tenant().tenantId]` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outSubscriptionName | string | +outSubscriptionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.json" + }, + "parameters": { + "parSubscriptionName": { + "value": "" + }, + "parSubscriptionBillingScope": { + "value": "" + }, + "parTags": { + "value": {} + }, + "parManagementGroupId": { + "value": "" + }, + "parSubscriptionOwnerId": { + "value": "" + }, + "parSubscriptionOfferType": { + "value": "Production" + }, + "parTenantId": { + "value": "[tenant().tenantId]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png new file mode 100644 index 00000000..9d75c536 Binary files /dev/null and b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..d8ca170a Binary files /dev/null and b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json new file mode 100644 index 00000000..bd70c8b2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionName": { + "value": "sub-example-001" + }, + "parSubscriptionBillingScope": { + "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parManagementGroupId": { + "value": "mg-example-001" + }, + "parSubscriptionOwnerId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" + }, + "parSubscriptionOfferType": { + "value": "Production" + }, + "parTenantId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" + } + } +} diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json new file mode 100644 index 00000000..157aa449 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionName": { + "value": "sub-example-001" + }, + "parSubscriptionBillingScope": { + "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep new file mode 100644 index 00000000..96926229 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep @@ -0,0 +1,56 @@ +/* +SUMMARY: The Subscription Alias module deploys an EA, MCA or MPA Subscription into the tenants default Management Group +DESCRIPTION: The Subscription Alias module deploys an EA, MCA or MPA Subscription into the tenants default Management Group as per the docs here: https://docs.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription +AUTHOR/S: jtracey93, johnlokerse +VERSION: 1.1.0 + - Updated version of the API + - Added additional properties: parTags, parManagementGroupId, parSubscriptionOwnerId and subscriptionTenantId +*/ + +targetScope = 'tenant' + +metadata name = 'ALZ Bicep CRML - Subscription Alias Module' +metadata description = 'Module to deploy an Azure Subscription into an existing billing scope that can be from an EA, MCA or MPA' + +@sys.description('Name of the subscription to be created. Will also be used as the alias name. Whilst you can use any name you like we recommend it to be: all lowercase, no spaces, alphanumeric and hyphens only.') +param parSubscriptionName string + +@sys.description('The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in.') +param parSubscriptionBillingScope string + +@sys.description('Tags you would like to be applied.') +param parTags object = {} + +@sys.description('The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional)') +param parManagementGroupId string = '' + +@sys.description('The object ID of a responsible user, AAD group or service principal. (Optional)') +param parSubscriptionOwnerId string = '' + +@allowed([ + 'DevTest' + 'Production' +]) +@sys.description('The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production') +param parSubscriptionOfferType string = 'Production' + +@sys.description('The ID of the tenant. Defaults to = tenant().tenantId') +param parTenantId string = tenant().tenantId + +resource resSubscription 'Microsoft.Subscription/aliases@2021-10-01' = { + name: parSubscriptionName + properties: { + additionalProperties: { + tags: parTags + managementGroupId: empty(parManagementGroupId) ? null : managementGroup(parManagementGroupId) + subscriptionOwnerId: empty(parSubscriptionOwnerId) ? null : parSubscriptionOwnerId + subscriptionTenantId: parTenantId + } + displayName: parSubscriptionName + billingScope: parSubscriptionBillingScope + workload: parSubscriptionOfferType + } +} + +output outSubscriptionName string = resSubscription.name +output outSubscriptionId string = resSubscription.properties.subscriptionId diff --git a/dependencies/infra-as-code/bicep/bicepconfig.json b/dependencies/infra-as-code/bicep/bicepconfig.json new file mode 100644 index 00000000..d43536e6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/bicepconfig.json @@ -0,0 +1,98 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/README.md b/dependencies/infra-as-code/bicep/modules/README.md new file mode 100644 index 00000000..d252a94a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/README.md @@ -0,0 +1,21 @@ +# ALZ-Bicep Modules + +This directory contains all of the modules required to deploy the [Azure Landing Zone Conceptual Architecture][caf_alz_architecture]. + +Checkout the [Getting Started](#getting-started) section below for details on where to start, pre-requisites and more. + +## Getting Started + +To get started with ALZ Bicep, please refer to the [Deployment Flow wiki page][wiki_deployment_flow] for: + +1. Prerequisites and dependencies for the overall implementation. +2. High-level deployment flow. +3. Links to more detailed instructions on individual modules. + + + [//]: # (************************) + [//]: # (INSERT LINK LABELS BELOW) + [//]: # (************************) + +[caf_alz_architecture]: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#azure-landing-zone-conceptual-architecture "CAF - ALZ Accelerator" +[wiki_deployment_flow]: https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow "Wiki - Deployment Flow" diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md new file mode 100644 index 00000000..c288fa97 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md @@ -0,0 +1,120 @@ +# Module: Custom Role Definitions + +This module defines custom roles based on the recommendations from the Azure Landing Zone Conceptual Architecture. The role definitions are defined in [Identity and access management](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management) recommendations. + +Module supports the following custom roles: + +- [*ManagementGroupId] Subscription owner +- [*ManagementGroupId] Application owners (DevOps/AppOps) +- [*ManagementGroupId] Network management (NetOps) +- [*ManagementGroupId] Security operations (SecOps) + +*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Azure AD tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary). +For example, if the `ManagementGroupId` = **alz**, then each role will have this prefix **[alz]** like `[alz] Subscription owner`. See the [example output deployment](#example-deployment-output) below. + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/customRoleDefinitions.bicep.md) +- [Parameters for Azure China Cloud](generateddocs/mc-customRoleDefinitions.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| -------------------------------- | ------ | ---------------------------------------------------------------------------- | +| outRolesSubscriptionOwnerRoleId | string | Microsoft.Authorization/roleDefinitions/8736d87d-8d31-53be-b952-a04c8d470f69 | +| outRolesApplicationOwnerRoleId | string | Microsoft.Authorization/roleDefinitions/4308c4e6-07d5-534f-9e18-32769872a3f4 | +| outRolesNetworkManagementRoleId | string | Microsoft.Authorization/roleDefinitions/4a200286-e2a0-5239-aa8f-fe0a90dd2eb5 | +| outRolesSecurityOperationsRoleId | string | Microsoft.Authorization/roleDefinitions/b2960c40-d3db-5190-94c1-5b07c9547956 | + +## Deployment + +There are two different sets of deployment; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to the following resource provider which is not returned in the list of providers from Azure Resource Manager in Azure China cloud. + +> Microsoft.Support resource provider is not supported because Azure support in China regions is independently operated and provided by 21Vianet. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------------------ | ------------------------------------------------- | + | Global regions | customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json | + | China regions | mc-customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json | + +In this example, the custom roles will be deployed to the `alz` management group (the intermediate root management group). + +Input parameter file `parameters/customRoleDefinitions.parameters.all.json` defines the assignable scope for the roles. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +# Management Group ID +MGID="alz" + +# Chosen Azure Region +LOCATION="eastus" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-CustomRoleDefsDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +# Management Group ID +MGID="alz" + +# Chosen Azure Region +LOCATION="chinaeast2" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-CustomRoleDefsDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-CustomRoleDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-CustomRoleDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +#### Example Deployment Output + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep new file mode 100644 index 00000000..7b44457b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep @@ -0,0 +1,53 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Role Definitions' +metadata description ='Custom Role Definitions for ALZ Bicep' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '032d0904-3d50-45ef-a6c1-baa9d82e23ff' + +module modRolesSubscriptionOwnerRole 'definitions/cafSubscriptionOwnerRole.bicep' = { + name: 'deploy-subscription-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesApplicationOwnerRole 'definitions/cafApplicationOwnerRole.bicep' = { + name: 'deploy-application-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesNetworkManagementRole 'definitions/cafNetworkManagementRole.bicep' = { + name: 'deploy-network-management-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesSecurityOperationsRole 'definitions/cafSecurityOperationsRole.bicep' = { + name: 'deploy-security-operations-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId +output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId +output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId +output outRolesSecurityOperationsRoleId string = modRolesSecurityOperationsRole.outputs.outRoleDefinitionId diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep new file mode 100644 index 00000000..554ba438 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep @@ -0,0 +1,41 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Application Owner Role' +metadata description = 'Role for Application Owners' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Application owners (DevOps/AppOps)' + description: 'Contributor role granted for application/operations team at resource group level' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*' + ] + notActions: [ + 'Microsoft.Authorization/*/write' + 'Microsoft.Network/publicIPAddresses/write' + 'Microsoft.Network/virtualNetworks/write' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + ] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep new file mode 100644 index 00000000..a46964a7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep @@ -0,0 +1,39 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Network Management Role' +metadata description = 'Role for Network Management' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Network management (NetOps)' + description: 'Platform-wide global connectivity management: Virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*/read' + 'Microsoft.Network/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Support/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep new file mode 100644 index 00000000..58d2b5da --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep @@ -0,0 +1,47 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Security Operations Role' +metadata description = 'Role for Security Operations' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Security operations (SecOps)' + description: 'Security administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*/read' + '*/register/action' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + 'Microsoft.PolicyInsights/*' + 'Microsoft.Authorization/policyAssignments/*' + 'Microsoft.Authorization/policyDefinitions/*' + 'Microsoft.Authorization/policyExemptions/*' + 'Microsoft.Authorization/policySetDefinitions/*' + 'Microsoft.Insights/alertRules/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Security/*' + 'Microsoft.Support/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep new file mode 100644 index 00000000..797d02d3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep @@ -0,0 +1,42 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Subscription Owner Role' +metadata description = 'Role for Subscription Owners' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Subscription owner' + description: 'Delegated role for subscription owner derived from subscription Owner role' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*' + ] + notActions: [ + 'Microsoft.Authorization/*/write' + 'Microsoft.Network/vpnGateways/*' + 'Microsoft.Network/expressRouteCircuits/*' + 'Microsoft.Network/routeTables/write' + 'Microsoft.Network/vpnSites/*' + ] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md new file mode 100644 index 00000000..abe00273 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Network Management Role + +Role for Network Management + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md new file mode 100644 index 00000000..12d7aa40 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Security Operations Role + +Role for Security Operations + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep new file mode 100644 index 00000000..65ba11bf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep @@ -0,0 +1,37 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Network Management Role' +metadata description = 'Role for Network Management' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Network management (NetOps)' + description: 'Platform-wide global connectivity management: Virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + permissions: [ + { + actions: [ + '*/read' + 'Microsoft.Network/*' + 'Microsoft.Resources/deployments/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep new file mode 100644 index 00000000..254b7600 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep @@ -0,0 +1,45 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Security Operations Role' +metadata description = 'Role for Security Operations' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Security operations (SecOps)' + description: 'Security administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + permissions: [ + { + actions: [ + '*/read' + '*/register/action' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + 'Microsoft.PolicyInsights/*' + 'Microsoft.Authorization/policyAssignments/*' + 'Microsoft.Authorization/policyDefinitions/*' + 'Microsoft.Authorization/policyExemptions/*' + 'Microsoft.Authorization/policySetDefinitions/*' + 'Microsoft.Insights/alertRules/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Security/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md new file mode 100644 index 00000000..c7cd819a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Application Owner Role + +Role for Application Owners + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md new file mode 100644 index 00000000..63f8fe8c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Network Management Role + +Role for Network Management + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md new file mode 100644 index 00000000..56ce46d3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Security Operations Role + +Role for Security Operations + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md new file mode 100644 index 00000000..135e4040 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Subscription Owner Role + +Role for Subscription Owners + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md new file mode 100644 index 00000000..1e25021f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md @@ -0,0 +1,57 @@ +# ALZ Bicep - Custom Role Definitions + +Custom Role Definitions for ALZ Bicep + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | No | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRolesSubscriptionOwnerRoleId | string | +outRolesApplicationOwnerRoleId | string | +outRolesNetworkManagementRoleId | string | +outRolesSecurityOperationsRoleId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md new file mode 100644 index 00000000..2496911d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md @@ -0,0 +1,57 @@ +# ALZ Bicep - Custom Role Definitions + +Custom Role Definitions + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | No | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRolesSubscriptionOwnerRoleId | string | +outRolesApplicationOwnerRoleId | string | +outRolesNetworkManagementRoleId | string | +outRolesSecurityOperationsRoleId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep new file mode 100644 index 00000000..4d752ce4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep @@ -0,0 +1,53 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Role Definitions' +metadata description ='Custom Role Definitions' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '032d0904-3d50-45ef-a6c1-baa9d82e23ff' + +module modRolesSubscriptionOwnerRole 'definitions/cafSubscriptionOwnerRole.bicep' = { + name: 'deploy-subscription-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesApplicationOwnerRole 'definitions/cafApplicationOwnerRole.bicep' = { + name: 'deploy-application-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesNetworkManagementRole 'definitions/china/mc-cafNetworkManagementRole.bicep' = { + name: 'deploy-network-management-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesSecurityOperationsRole 'definitions/china/mc-cafSecurityOperationsRole.bicep' = { + name: 'deploy-security-operations-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId +output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId +output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId +output outRolesSecurityOperationsRoleId string = modRolesSecurityOperationsRole.outputs.outRoleDefinitionId diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png new file mode 100644 index 00000000..7d5251e8 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..a664620b Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json new file mode 100644 index 00000000..c0c35c39 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json new file mode 100644 index 00000000..c0c35c39 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep new file mode 100644 index 00000000..c7da5bdd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep @@ -0,0 +1,25 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the baseline resource configuration. + +targetScope = 'managementGroup' + + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_custom_role_definitions '../customRoleDefinitions.bicep' = { + name: 'custom_role_definition' + params: { + parAssignableScopeManagementGroupId: 'alz' + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..f7c23f39 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..3da047f1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep new file mode 100644 index 00000000..81b71ebc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep @@ -0,0 +1,21 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_custom_role_definitions '../customRoleDefinitions.bicep' = { + name: 'custom_role_definition' +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md new file mode 100644 index 00000000..da89c093 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md @@ -0,0 +1,177 @@ +# Module: Hub-Networking + +This module defines hub networking based on the recommendations from the Azure Landing Zone Conceptual Architecture. + +Module deploys the following resources: + +- Virtual Network (VNet) +- Subnets +- VPN Gateway/ExpressRoute Gateway +- Azure Firewall +- Azure Firewall Policies +- Private DNS Zones +- DDoS Network Protection Plan +- Bastion +- Route Table + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/hubNetworking.bicep.md) + +> **NOTE:** +> - Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. +> +> - When deploying using the `parameters/hubNetworking.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region or geo code, for Azure Backup. Failure to do so will cause these services to be unreachable over private endpoints. +> +> For example, if deploying to East US the following zone entries: +> - `privatelink.xxxxxx.azmk8s.io` +> - `privatelink.xxxxxx.backup.windowsazure.com` +> - `privatelink.xxxxxx.batch.azure.com` +> +> Will become: +> - `privatelink.eastus.azmk8s.io` +> - `privatelink.eus.backup.windowsazure.com` +> - `privatelink.eastus.batch.azure.com` +> +> See child module, [`privateDnsZones.bicep` docs](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/privateDnsZones#dns-zones) for more info on how this works + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outAzFirewallPrivateIp | string | 192.168.100.1 | +| outAzFirewallName | string | MyAzureFirewall | +| outDdosPlanResourceId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan | +| outPrivateDnsZones | array | `[{"name":"privatelink.azurecr.io","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"},{"name":"privatelink.azurewebsites.net","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"}]` | +| outPrivateDnsZonesNames | array | `["privatelink.azurecr.io", "privatelink.azurewebsites.net"]` | +| outHubVirtualNetworkName | array | MyHubVirtualNetworkName | +| outHubVirtualNetworkId | array | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/my-hub-vnet | + +## Deployment +> **Note:** `bicepconfig.json` file is included in the module directory. This file allows us to override Bicep Linters. Currently there are two URLs which were removed because of linter warnings. URLs removed are the following: database.windows.net and core.windows.net + +In this example, the hub resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the hub resources should be deployed into the Platform connectivity subscription. During the deployment step, we will take the default values and not pass any parameters. + +There are two different sets of input parameters; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to different private DNS zone names for Azure services in Azure global regions and Azure China. The recommended private DNS zone names are available [here](https://learn.microsoft.com/azure/private-link/private-endpoint-dns). Other differences in Azure China regions are as follow: +- DDoS Protection feature is not available. parDdosEnabled parameter is set as false. +- The SKUs available for an ExpressRoute virtual network gateway are Standard, HighPerformance and UltraPerformance. Sku is set as "Standard" in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------- | ----------------------------------------------- | + | Global regions | hubNetworking.bicep | parameters/hubNetworking.parameters.all.json | + | China regions | hubNetworking.bicep | parameters/mc-hubNetworking.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +```bash +# For Azure global regions + +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" + +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-HubNetworkingDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-hub-networking-001" +TEMPLATEFILE="infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" +PARAMETERS="@infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json" + +az group create --location eastus \ + --name $GROUP + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" + +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-HubNetworkingDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-hub-networking-001" +TEMPLATEFILE="infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" +PARAMETERS="@infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json" + +az group create --location chinaeast2 \ + --name $GROUP + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set Platform management subscription ID as the the current subscription +$ManagementSubscriptionId = "[your platform management subscription ID]" + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-HubNetworkingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-hub-networking-001" + TemplateFile = "infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'eastus' + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-HubNetworkingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-hub-networking-001" + TemplateFile = "infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'chinaeast2' + +New-AzResourceGroupDeployment @inputObject +``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Example Output in Azure China regions +![Example Deployment Output](media/mc-exampleDeploymentOutput.png "Example Deployment Output in Azure China") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json new file mode 100644 index 00000000..ad3802e9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json @@ -0,0 +1,124 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md new file mode 100644 index 00000000..738a4cb1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -0,0 +1,589 @@ +# ALZ Bicep - Hub Networking Module + +ALZ Bicep Module used to set up Hub Networking + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The Azure Region to deploy the resources into. +parCompanyPrefix | No | Prefix value which will be prepended to all resource names. +parHubNetworkName | No | Name for Hub Network. +parHubNetworkAddressPrefix | No | The IP address range for Hub Network. +parSubnets | No | The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks. +parDnsServerIps | No | Array of DNS Server IP addresses for VNet. +parPublicIpSku | No | Public IP Address SKU. +parPublicIpPrefix | No | Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix- +parPublicIpSuffix | No | Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix +parAzBastionEnabled | No | Switch to enable/disable Azure Bastion deployment. +parAzBastionName | No | Name Associated with Bastion Service. +parAzBastionSku | No | Azure Bastion SKU. +parAzBastionTunneling | No | Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client +parAzBastionNsgName | No | Name for Azure Bastion Subnet NSG. +parDdosEnabled | No | Switch to enable/disable DDoS Network Protection deployment. +parDdosPlanName | No | DDoS Plan Name. +parAzFirewallEnabled | No | Switch to enable/disable Azure Firewall deployment. +parAzFirewallName | No | Azure Firewall Name. +parAzFirewallPoliciesName | No | Azure Firewall Policies Name. +parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. +parAzFirewallAvailabilityZones | No | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. +parAzErGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. +parAzVpnGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. +parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy. +parHubRouteTableName | No | Name of Route table to create for the default route of Hub. +parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagation on route table. +parPrivateDnsZonesEnabled | No | Switch to enable/disable Private DNS Zones deployment. +parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS Zones. +parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones +parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. +parVpnGatewayConfig | No | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": { "value": {} } +parExpressRouteGatewayConfig | No | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": { "value": {} } +parTags | No | Tags you would like to be applied to all resources in this module. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. +parBastionOutboundSshRdpPorts | No | Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. + +- Default value: `[resourceGroup().location]` + +### parCompanyPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix value which will be prepended to all resource names. + +- Default value: `alz` + +### parHubNetworkName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name for Hub Network. + +- Default value: `[format('{0}-hub-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parHubNetworkAddressPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The IP address range for Hub Network. + +- Default value: `10.10.0.0/16` + +### parSubnets + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks. + +- Default value: ` ` + +### parDnsServerIps + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Server IP addresses for VNet. + +### parPublicIpSku + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Public IP Address SKU. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard` + +### parPublicIpPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix- + +### parPublicIpSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix + +- Default value: `-PublicIP` + +### parAzBastionEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Bastion deployment. + +- Default value: `True` + +### parAzBastionName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name Associated with Bastion Service. + +- Default value: `[format('{0}-bastion', parameters('parCompanyPrefix'))]` + +### parAzBastionSku + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Bastion SKU. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard` + +### parAzBastionTunneling + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client + +- Default value: `False` + +### parAzBastionNsgName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name for Azure Bastion Subnet NSG. + +- Default value: `nsg-AzureBastionSubnet` + +### parDdosEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable DDoS Network Protection deployment. + +- Default value: `True` + +### parDdosPlanName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +DDoS Plan Name. + +- Default value: `[format('{0}-ddos-plan', parameters('parCompanyPrefix'))]` + +### parAzFirewallEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Firewall deployment. + +- Default value: `True` + +### parAzFirewallName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Name. + +- Default value: `[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parAzFirewallPoliciesName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Policies Name. + +- Default value: `[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parAzFirewallTier + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Tier associated with the Firewall to deploy. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard`, `Premium` + +### parAzFirewallAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. + +- Allowed values: `1`, `2`, `3` + +### parAzErGatewayAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. + +- Allowed values: `1`, `2`, `3` + +### parAzVpnGatewayAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. + +- Allowed values: `1`, `2`, `3` + +### parAzFirewallDnsProxyEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Firewall DNS Proxy. + +- Default value: `True` + +### parHubRouteTableName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of Route table to create for the default route of Hub. + +- Default value: `[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]` + +### parDisableBgpRoutePropagation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable BGP Propagation on route table. + +- Default value: `False` + +### parPrivateDnsZonesEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Private DNS Zones deployment. + +- Default value: `True` + +### parPrivateDnsZonesResourceGroup + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource Group Name for Private DNS Zones. + +- Default value: `[resourceGroup().name]` + +### parPrivateDnsZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones + +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` + +### parPrivateDnsZoneAutoMergeAzureBackupZone + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. + +- Default value: `True` + +### parVpnGatewayConfig + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parVpnGatewayConfig": { + "value": {} +} + +- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` + +### parExpressRouteGatewayConfig + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parExpressRouteGatewayConfig": { + "value": {} +} + +- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +### parBastionOutboundSshRdpPorts + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion. + +- Default value: `22 3389` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outAzFirewallPrivateIp | string | +outAzFirewallName | string | +outPrivateDnsZones | array | +outPrivateDnsZonesNames | array | +outDdosPlanResourceId | string | +outHubVirtualNetworkName | string | +outHubVirtualNetworkId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/hubNetworking/hubNetworking.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "[format('{0}-hub-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parHubNetworkAddressPrefix": { + "value": "10.10.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.10.15.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.10.252.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.10.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parPublicIpPrefix": { + "value": "" + }, + "parPublicIpSuffix": { + "value": "-PublicIP" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "[format('{0}-bastion', parameters('parCompanyPrefix'))]" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parAzBastionTunneling": { + "value": false + }, + "parAzBastionNsgName": { + "value": "nsg-AzureBastionSubnet" + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "[format('{0}-ddos-plan', parameters('parCompanyPrefix'))]" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parAzFirewallPoliciesName": { + "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZonesResourceGroup": { + "value": "[resourceGroup().name]" + }, + "parPrivateDnsZones": { + "value": [ + "[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))]", + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": 65515, + "bgpPeeringAddress": "", + "peerWeight": 5 + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]", + "gatewayType": "ExpressRoute", + "sku": "ErGw1AZ", + "vpnType": "RouteBased", + "vpnGatewayGeneration": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + }, + "parBastionOutboundSshRdpPorts": { + "value": [ + "22", + "3389" + ] + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep new file mode 100644 index 00000000..4a62a4d6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -0,0 +1,795 @@ +metadata name = 'ALZ Bicep - Hub Networking Module' +metadata description = 'ALZ Bicep Module used to set up Hub Networking' + +@sys.description('The Azure Region to deploy the resources into.') +param parLocation string = resourceGroup().location + +@sys.description('Prefix value which will be prepended to all resource names.') +param parCompanyPrefix string = 'alz' + +@sys.description('Name for Hub Network.') +param parHubNetworkName string = '${parCompanyPrefix}-hub-${parLocation}' + +@sys.description('The IP address range for Hub Network.') +param parHubNetworkAddressPrefix string = '10.10.0.0/16' + +@sys.description('The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks.') +param parSubnets array = [ + { + name: 'AzureBastionSubnet' + ipAddressRange: '10.10.15.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } + { + name: 'GatewaySubnet' + ipAddressRange: '10.10.252.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } + { + name: 'AzureFirewallSubnet' + ipAddressRange: '10.10.254.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } + { + name: 'AzureFirewallManagementSubnet' + ipAddressRange: '10.10.253.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } +] + +@sys.description('Array of DNS Server IP addresses for VNet.') +param parDnsServerIps array = [] + +@sys.description('Public IP Address SKU.') +@allowed([ + 'Basic' + 'Standard' +]) +param parPublicIpSku string = 'Standard' + +@sys.description('Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix-') +param parPublicIpPrefix string = '' + +@sys.description('Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix') +param parPublicIpSuffix string = '-PublicIP' + +@sys.description('Switch to enable/disable Azure Bastion deployment.') +param parAzBastionEnabled bool = true + +@sys.description('Name Associated with Bastion Service.') +param parAzBastionName string = '${parCompanyPrefix}-bastion' + +@sys.description('Azure Bastion SKU.') +@allowed([ + 'Basic' + 'Standard' +]) +param parAzBastionSku string = 'Standard' + +@sys.description('Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client') +param parAzBastionTunneling bool = false + +@sys.description('Name for Azure Bastion Subnet NSG.') +param parAzBastionNsgName string = 'nsg-AzureBastionSubnet' + +@sys.description('Switch to enable/disable DDoS Network Protection deployment.') +param parDdosEnabled bool = true + +@sys.description('DDoS Plan Name.') +param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan' + +@sys.description('Switch to enable/disable Azure Firewall deployment.') +param parAzFirewallEnabled bool = true + +@sys.description('Azure Firewall Name.') +param parAzFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}' + +@sys.description('Azure Firewall Policies Name.') +param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' + +@sys.description('Azure Firewall Tier associated with the Firewall to deploy.') +@allowed([ + 'Basic' + 'Standard' + 'Premium' +]) +param parAzFirewallTier string = 'Standard' + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.') +param parAzFirewallAvailabilityZones array = [] + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.') +param parAzErGatewayAvailabilityZones array = [] + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.') +param parAzVpnGatewayAvailabilityZones array = [] + +@sys.description('Switch to enable/disable Azure Firewall DNS Proxy.') +param parAzFirewallDnsProxyEnabled bool = true + +@sys.description('Name of Route table to create for the default route of Hub.') +param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' + +@sys.description('Switch to enable/disable BGP Propagation on route table.') +param parDisableBgpRoutePropagation bool = false + +@sys.description('Switch to enable/disable Private DNS Zones deployment.') +param parPrivateDnsZonesEnabled bool = true + +@sys.description('Resource Group Name for Private DNS Zones.') +param parPrivateDnsZonesResourceGroup string = resourceGroup().name + +@sys.description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones') +param parPrivateDnsZones array = [ + 'privatelink.${toLower(parLocation)}.azmk8s.io' + 'privatelink.${toLower(parLocation)}.batch.azure.com' + 'privatelink.${toLower(parLocation)}.kusto.windows.net' + 'privatelink.adf.azure.com' + 'privatelink.afs.azure.net' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.analysis.windows.net' + 'privatelink.api.azureml.ms' + 'privatelink.azconfig.io' + 'privatelink.azure-api.net' + 'privatelink.azure-automation.net' + 'privatelink.azurecr.io' + 'privatelink.azure-devices.net' + 'privatelink.azure-devices-provisioning.net' + 'privatelink.azurehdinsight.net' + 'privatelink.azurehealthcareapis.com' + 'privatelink.azurestaticapps.net' + 'privatelink.azuresynapse.net' + 'privatelink.azurewebsites.net' + 'privatelink.batch.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.database.windows.net' + 'privatelink.datafactory.azure.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.dicom.azurehealthcareapis.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.directline.botframework.com' + 'privatelink.documents.azure.com' + 'privatelink.eventgrid.azure.net' + 'privatelink.file.core.windows.net' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.guestconfiguration.azure.com' + 'privatelink.his.arc.azure.com' + 'privatelink.kubernetesconfiguration.azure.com' + 'privatelink.managedhsm.azure.net' + 'privatelink.mariadb.database.azure.com' + 'privatelink.media.azure.net' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.monitor.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.notebooks.azure.net' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.pbidedicated.windows.net' + 'privatelink.postgres.database.azure.com' + 'privatelink.prod.migration.windowsazure.com' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.queue.core.windows.net' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.search.windows.net' + 'privatelink.service.signalr.net' + 'privatelink.servicebus.windows.net' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.sql.azuresynapse.net' + 'privatelink.table.core.windows.net' + 'privatelink.table.cosmos.azure.com' + 'privatelink.tip1.powerquery.microsoft.com' + 'privatelink.token.botframework.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.web.core.windows.net' + 'privatelink.webpubsub.azure.com' +] + +@sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.') +param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true + +//ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations +@sys.description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parVpnGatewayConfig": { + "value": {} +}''') +param parVpnGatewayConfig object = { + name: '${parCompanyPrefix}-Vpn-Gateway' + gatewayType: 'Vpn' + sku: 'VpnGw1' + vpnType: 'RouteBased' + generation: 'Generation1' + enableBgp: false + activeActive: false + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + bgpPeeringAddress: '' + bgpsettings: { + asn: 65515 + bgpPeeringAddress: '' + peerWeight: 5 + } +} + +@sys.description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parExpressRouteGatewayConfig": { + "value": {} +}''') +param parExpressRouteGatewayConfig object = { + name: '${parCompanyPrefix}-ExpressRoute-Gateway' + gatewayType: 'ExpressRoute' + sku: 'ErGw1AZ' + vpnType: 'RouteBased' + vpnGatewayGeneration: 'None' + enableBgp: false + activeActive: false + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + bgpPeeringAddress: '' + bgpsettings: { + asn: '65515' + bgpPeeringAddress: '' + peerWeight: '5' + } +} + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +@sys.description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.') +param parBastionOutboundSshRdpPorts array = [ '22', '3389' ] + +var varSubnetMap = map(range(0, length(parSubnets)), i => { + name: parSubnets[i].name + ipAddressRange: parSubnets[i].ipAddressRange + networkSecurityGroupId: contains(parSubnets[i], 'networkSecurityGroupId') ? parSubnets[i].networkSecurityGroupId : '' + routeTableId: contains(parSubnets[i], 'routeTableId') ? parSubnets[i].routeTableId : '' + delegation: contains(parSubnets[i], 'delegation') ? parSubnets[i].delegation : '' + }) + +var varSubnetProperties = [for subnet in varSubnetMap: { + name: subnet.name + properties: { + addressPrefix: subnet.ipAddressRange + + delegations: (empty(subnet.delegation)) ? null : [ + { + name: subnet.delegation + properties: { + serviceName: subnet.delegation + } + } + ] + + networkSecurityGroup: (subnet.name == 'AzureBastionSubnet' && parAzBastionEnabled) ? { + id: '${resourceGroup().id}/providers/Microsoft.Network/networkSecurityGroups/${parAzBastionNsgName}' + } : (empty(subnet.networkSecurityGroupId)) ? null : { + id: subnet.networkSecurityGroupId + } + + routeTable: (empty(subnet.routeTableId)) ? null : { + id: subnet.routeTableId + } + } +}] + +var varVpnGwConfig = ((!empty(parVpnGatewayConfig)) ? parVpnGatewayConfig : json('{"name": "noconfigVpn"}')) + +var varErGwConfig = ((!empty(parExpressRouteGatewayConfig)) ? parExpressRouteGatewayConfig : json('{"name": "noconfigEr"}')) + +var varGwConfig = [ + varVpnGwConfig + varErGwConfig +] + +// Customer Usage Attribution Id Telemetry +var varCuaid = '2686e846-5fdc-4d4f-b533-16dcb09d6e6c' + +// ZTN Telemetry +var varZtnP1CuaId = '3ab23b1e-c5c5-42d4-b163-1402384ba2db' +var varZtnP1Trigger = (parDdosEnabled && parAzFirewallEnabled && (parAzFirewallTier == 'Premium')) ? true : false + +//DDos Protection plan will only be enabled if parDdosEnabled is true. +resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-02-01' = if (parDdosEnabled) { + name: parDdosPlanName + location: parLocation + tags: parTags +} + +resource resHubVnet 'Microsoft.Network/virtualNetworks@2023-02-01' = { + dependsOn: [ + resBastionNsg + ] + name: parHubNetworkName + location: parLocation + tags: parTags + properties: { + addressSpace: { + addressPrefixes: [ + parHubNetworkAddressPrefix + ] + } + dhcpOptions: { + dnsServers: parDnsServerIps + } + subnets: varSubnetProperties + enableDdosProtection: parDdosEnabled + ddosProtectionPlan: (parDdosEnabled) ? { + id: resDdosProtectionPlan.id + } : null + } +} + +module modBastionPublicIp '../publicIp/publicIp.bicep' = if (parAzBastionEnabled) { + name: 'deploy-Bastion-Public-IP' + params: { + parLocation: parLocation + parPublicIpName: '${parPublicIpPrefix}${parAzBastionName}${parPublicIpSuffix}' + parPublicIpSku: { + name: parPublicIpSku + } + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = { + parent: resHubVnet + name: 'AzureBastionSubnet' +} + +resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2023-02-01' = if (parAzBastionEnabled) { + name: parAzBastionNsgName + location: parLocation + tags: parTags + + properties: { + securityRules: [ + // Inbound Rules + { + name: 'AllowHttpsInbound' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 120 + sourceAddressPrefix: 'Internet' + destinationAddressPrefix: '*' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowGatewayManagerInbound' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 130 + sourceAddressPrefix: 'GatewayManager' + destinationAddressPrefix: '*' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowAzureLoadBalancerInbound' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 140 + sourceAddressPrefix: 'AzureLoadBalancer' + destinationAddressPrefix: '*' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowBastionHostCommunication' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 150 + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRanges: [ + '8080' + '5701' + ] + } + } + { + name: 'DenyAllInbound' + properties: { + access: 'Deny' + direction: 'Inbound' + priority: 4096 + sourceAddressPrefix: '*' + destinationAddressPrefix: '*' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + } + } + // Outbound Rules + { + name: 'AllowSshRdpOutbound' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 100 + sourceAddressPrefix: '*' + destinationAddressPrefix: 'VirtualNetwork' + protocol: '*' + sourcePortRange: '*' + destinationPortRanges: parBastionOutboundSshRdpPorts + } + } + { + name: 'AllowAzureCloudOutbound' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 110 + sourceAddressPrefix: '*' + destinationAddressPrefix: 'AzureCloud' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowBastionCommunication' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 120 + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + protocol: '*' + sourcePortRange: '*' + destinationPortRanges: [ + '8080' + '5701' + ] + } + } + { + name: 'AllowGetSessionInformation' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 130 + sourceAddressPrefix: '*' + destinationAddressPrefix: 'Internet' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '80' + } + } + { + name: 'DenyAllOutbound' + properties: { + access: 'Deny' + direction: 'Outbound' + priority: 4096 + sourceAddressPrefix: '*' + destinationAddressPrefix: '*' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + } + } + ] + } +} + +// AzureBastionSubnet is required to deploy Bastion service. This subnet must exist in the parsubnets array if you enable Bastion Service. +// There is a minimum subnet requirement of /27 prefix. +// If you are deploying standard this needs to be larger. https://docs.microsoft.com/en-us/azure/bastion/configuration-settings#subnet +resource resBastion 'Microsoft.Network/bastionHosts@2023-02-01' = if (parAzBastionEnabled) { + location: parLocation + name: parAzBastionName + tags: parTags + sku: { + name: parAzBastionSku + } + properties: { + dnsName: uniqueString(resourceGroup().id) + enableTunneling: (parAzBastionSku == 'Standard' && parAzBastionTunneling) ? parAzBastionTunneling : false + ipConfigurations: [ + { + name: 'IpConf' + properties: { + subnet: { + id: resBastionSubnetRef.id + } + publicIPAddress: { + id: parAzBastionEnabled ? modBastionPublicIp.outputs.outPublicIpId : '' + } + } + } + ] + } +} + +resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = { + parent: resHubVnet + name: 'GatewaySubnet' +} + +module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { + name: 'deploy-Gateway-Public-IP-${i}' + params: { + parLocation: parLocation + parAvailabilityZones: gateway.gatewayType == 'ExpressRoute' ? parAzErGatewayAvailabilityZones : gateway.gatewayType == 'Vpn' ? parAzVpnGatewayAvailabilityZones : [] + parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: parPublicIpSku + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +}] + +//Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub +resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { + name: gateway.name + location: parLocation + tags: parTags + properties: { + activeActive: gateway.activeActive + enableBgp: gateway.enableBgp + enableBgpRouteTranslationForNat: gateway.enableBgpRouteTranslationForNat + enableDnsForwarding: gateway.enableDnsForwarding + bgpSettings: (gateway.enableBgp) ? gateway.bgpSettings : null + gatewayType: gateway.gatewayType + vpnGatewayGeneration: (gateway.gatewayType == 'VPN') ? gateway.generation : 'None' + vpnType: gateway.vpnType + sku: { + name: gateway.sku + tier: gateway.sku + } + ipConfigurations: [ + { + id: resHubVnet.id + name: 'vnetGatewayConfig' + properties: { + publicIPAddress: { + id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIp[i].outputs.outPublicIpId : 'na') + } + subnet: { + id: resGatewaySubnetRef.id + } + } + } + ] + } +}] + +resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = { + parent: resHubVnet + name: 'AzureFirewallSubnet' +} + +resource resAzureFirewallMgmtSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { + parent: resHubVnet + name: 'AzureFirewallManagementSubnet' +} + +module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled) { + name: 'deploy-Firewall-Public-IP' + params: { + parLocation: parLocation + parAvailabilityZones: parAzFirewallAvailabilityZones + parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: parPublicIpSku + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { + name: 'deploy-Firewall-mgmt-Public-IP' + params: { + parLocation: parLocation + parAvailabilityZones: parAzFirewallAvailabilityZones + parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}-mgmt${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: 'Standard' + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled) { + dependsOn:[resHubVnet, modAzureFirewallPublicIp, modAzureFirewallMgmtPublicIp] + name: parAzFirewallPoliciesName + location: parLocation + tags: parTags + properties: (parAzFirewallTier == 'Basic') ? { + sku: { + tier: parAzFirewallTier + } + } : { + dnsSettings: { + enableProxy: parAzFirewallDnsProxyEnabled + } + sku: { + tier: parAzFirewallTier + } + } +} + +// AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. +// There is a minimum subnet requirement of /26 prefix. +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2023-02-01' = if (parAzFirewallEnabled) { + dependsOn: [ + resGateway + ] + name: parAzFirewallName + location: parLocation + tags: parTags + zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : []) + properties: parAzFirewallTier == 'Basic' ? { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: resAzureFirewallSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : '' + } + } + } + ] + managementIpConfiguration: { + name: 'mgmtIpConfig' + properties: { + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.outputs.outPublicIpId : '' + } + subnet: { + id: resAzureFirewallMgmtSubnetRef.id + } + } + } + sku: { + name: 'AZFW_VNet' + tier: parAzFirewallTier + } + firewallPolicy: { + id: resFirewallPolicies.id + } + } : { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: resAzureFirewallSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : '' + } + } + } + ] + sku: { + name: 'AZFW_VNet' + tier: parAzFirewallTier + } + firewallPolicy: { + id: resFirewallPolicies.id + } + } +} + +//If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. +resource resHubRouteTable 'Microsoft.Network/routeTables@2023-02-01' = if (parAzFirewallEnabled) { + name: parHubRouteTableName + location: parLocation + tags: parTags + properties: { + routes: [ + { + name: 'udr-default-azfw' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopType: 'VirtualAppliance' + nextHopIpAddress: parAzFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' + } + } + ] + disableBgpRoutePropagation: parDisableBgpRoutePropagation + } +} + +module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPrivateDnsZonesEnabled) { + name: 'deploy-Private-DNS-Zones' + scope: resourceGroup(parPrivateDnsZonesResourceGroup) + params: { + parLocation: parLocation + parTags: parTags + parVirtualNetworkIdToLink: resHubVnet.id + parPrivateDnsZones: parPrivateDnsZones + parPrivateDnsZoneAutoMergeAzureBackupZone: parPrivateDnsZoneAutoMergeAzureBackupZone + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Optional Deployments for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' + params: {} +} + +module modCustomerUsageAttributionZtnP1 '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut && varZtnP1Trigger) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varZtnP1CuaId}-${uniqueString(resourceGroup().location)}' + params: {} +} + +//If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. +output outAzFirewallPrivateIp string = parAzFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' + +//If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. +output outAzFirewallName string = parAzFirewallEnabled ? parAzFirewallName : '' + +output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) +output outPrivateDnsZonesNames array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZonesNames : []) + +output outDdosPlanResourceId string = resDdosProtectionPlan.id +output outHubVirtualNetworkName string = resHubVnet.name +output outHubVirtualNetworkId string = resHubVnet.id diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png new file mode 100644 index 00000000..e41ce74d Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..b20b5cc8 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png new file mode 100644 index 00000000..06731339 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json new file mode 100644 index 00000000..686de4bd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -0,0 +1,235 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "alz-hub-eastus" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parPublicIpPrefix": { + "value": "" + }, + "parPublicIpSuffix": { + "value": "-PublicIP" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "alz-bastion" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parAzBastionNsgName": { + "value": "nsg-AzureBastionSubnet" + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "alz-azfw-eastus" + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-eastus" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "alz-hub-routetable" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.kusto.windows.net", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus) + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + }, + "parBastionOutboundSshRdpPorts": { + "value": [ + "22", + "3389" + ] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json new file mode 100644 index 00000000..d0ea43f5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -0,0 +1,117 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": true + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json new file mode 100644 index 00000000..dd5b18b0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -0,0 +1,197 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "alz-hub-chinaeast2" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parPublicIpPrefix": { + "value": "" + }, + "parPublicIpSuffix": { + "value": "-PublicIP" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "alz-bastion" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parAzBastionNsgName": { + "value": "nsg-AzureBastionSubnet" + }, + "parDdosEnabled": { + "value": false + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "alz-azfw-chinaeast2" + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-chinaeast2" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "alz-hub-routetable" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + }, + "parBastionOutboundSshRdpPorts": { + "value": [ + "22", + "3389" + ] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json new file mode 100644 index 00000000..c16d37ab --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -0,0 +1,153 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": false + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep new file mode 100644 index 00000000..7babf3d7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep @@ -0,0 +1,137 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy a Well-Architected aligned resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// --------- +// VARIABLES +// --------- + +// Company prefix for unit testing +var parCompanyPrefix = 'test' + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_hub_network '../hubNetworking.bicep' = { + name: 'baseline_hub_network' + params: { + parLocation: location + parPublicIpSku: 'Standard' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzErGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzVpnGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parVpnGatewayConfig: {} + parExpressRouteGatewayConfig: {} + } +} + +@description('Baseline resource configuration using ExpressRoute') +module baseline_hub_network_with_ER '../hubNetworking.bicep' = { + name: 'baseline_hub_network_with_ER' + params: { + parLocation: location + parPublicIpSku: 'Standard' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzErGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzVpnGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parVpnGatewayConfig: {} + parExpressRouteGatewayConfig: { + name: '${parCompanyPrefix}-ExpressRoute-Gateway' + gatewaytype: 'ExpressRoute' + sku: 'ErGw1AZ' + vpntype: 'RouteBased' + vpnGatewayGeneration: 'None' + enableBgp: false + activeActive: true + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + asn: '65515' + bgpPeeringAddress: '' + bgpsettings: { + asn: '65515' + bgpPeeringAddress: '' + peerWeight: '5' + } + } + } +} + +@description('Baseline resource configuration using a VPN Gateway') +module baseline_hub_network_with_VPN '../hubNetworking.bicep' = { + name: 'baseline_hub_network_with_VPN' + params: { + parLocation: location + parPublicIpSku: 'Standard' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzErGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzVpnGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parVpnGatewayConfig: { + name: '${parCompanyPrefix}-Vpn-Gateway' + gatewaytype: 'Vpn' + sku: 'VpnGw1AZ' + vpntype: 'RouteBased' + generation: 'Generation1' + enableBgp: false + activeActive: true + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + asn: 65515 + bgpPeeringAddress: '' + bgpsettings: { + asn: 65515 + bgpPeeringAddress: '' + peerWeight: 5 + } + } + parExpressRouteGatewayConfig: {} + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..7e99d9d4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..0f759994 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep new file mode 100644 index 00000000..f6e7dd31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep @@ -0,0 +1,29 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_hub_network '../hubNetworking.bicep' = { + name: 'minimum_hub_network' + params: { + parLocation: location + parAzFirewallAvailabilityZones: [] + parAzErGatewayAvailabilityZones: [] + parAzVpnGatewayAvailabilityZones: [] + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/README.md b/dependencies/infra-as-code/bicep/modules/logging/README.md new file mode 100644 index 00000000..5ba38b7a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/README.md @@ -0,0 +1,147 @@ +# Module: Logging, Automation & Sentinel + +Deploys Azure Log Analytics Workspace, Automation Account (linked together) & multiple Solutions deploy to the Log Analytics Workspace to an existing Resource Group. + +Automation Account will be linked to Log Analytics Workspace to provide integration for Update Management, Change Tracking and Inventory, and Start/Stop VMs during off-hours for your servers and virtual machines. Only one mapping can exist between Log Analytics Workspace and Automation Account. + +The module will deploy the following Log Analytics Workspace solutions by default. Solutions can be customized as required: + +- AgentHealthAssessment +- AntiMalware +- ChangeTracking +- Security +- SecurityInsights (Azure Sentinel) +- SQLAdvancedThreatProtection +- SQLVulnerabilityAssessment +- SQLAssessment +- Updates +- VMInsights + + > Only certain regions are supported to link Log Analytics Workspace & Automation Account together (linked workspaces). Reference: [Supported regions for linked Log Analytics workspace](https://learn.microsoft.com/azure/automation/how-to/region-mappings) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/logging.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + +## Deployment + +In this example, a Log Analytics Workspace and Automation Account will be deployed to the resource group `alz-logging`. The inputs for this module are defined in `logging.parameters.all.json`. + +There are separate input parameters files depending on which Azure cloud you are deploying because this module deploys resources into an existing resource group under the specified region. There is no change to the Bicep template file. +| Azure Cloud | Bicep template | Input parameters file | +| -------------- | -------------- | ----------------------------------------- | +| Global regions | logging.bicep | parameters/logging.parameters.all.json | +| China regions | logging.bicep | parameters/mc-logging.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. +> If the deployment failed due an error that your alz-log-analytics/Automation resource of type 'Microsoft.OperationalInsights/workspaces/linkedServices' was not found, please retry the deployment step and it would succeed. + +### Azure CLI + +```bash +# For Azure Global regions +# Set Platform management subscripion ID as the the current subscription +ManagementSubscriptionId="[your platform management subscription ID]" +az account set --subscription $ManagementSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +GROUP="rg-$TopLevelMGPrefix-logging-001" +NAME="alz-loggingDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/logging/logging.bicep" +PARAMETERS="@infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location eastus + +# Deploy Module +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set Platform management subscripion ID as the the current subscription +ManagementSubscriptionId="[your platform management subscription ID]" +az account set --subscription $ManagementSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +GROUP="rg-$TopLevelMGPrefix-logging-001" +NAME="alz-loggingDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/logging/logging.bicep" +PARAMETERS="@infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location chinaeast2 + +# Deploy Module +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure Global regions +# Set Platform management subscripion ID as the the current subscription +$ManagementSubscriptionId = "[your platform management subscription ID]" + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-LoggingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-logging-001" + TemplateFile = "infra-as-code/bicep/modules/logging/logging.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json" +} + +Select-AzSubscription -SubscriptionId $ManagementSubscriptionId + +# Create Resource Group - optional when using an existing resource group +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location eastus + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set Platform management subscripion ID as the the current subscription +$ManagementSubscriptionId = "[your platform management subscription ID]" + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-LoggingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-logging-001" + TemplateFile = "infra-as-code/bicep/modules/logging/logging.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json" +} + +Select-AzSubscription -SubscriptionId $ManagementSubscriptionId + +# Create Resource Group - optional when using an existing resource group +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location chinaeast2 + +New-AzResourceGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md new file mode 100644 index 00000000..3f6feefd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -0,0 +1,230 @@ +# ALZ Bicep - Logging Module + +ALZ Bicep Module used to set up Logging + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. +parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. +parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. +parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. +parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. +parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. +parAutomationAccountName | No | Automation account name. +parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. +parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. +parTags | No | Tags you would like to be applied to all resources in this module. +parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. +parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. +parUseSentinelClassicPricingTiers | No | Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parLogAnalyticsWorkspaceName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace name. + +- Default value: `alz-log-analytics` + +### parLogAnalyticsWorkspaceLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. + +- Default value: `[resourceGroup().location]` + +### parLogAnalyticsWorkspaceSkuName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace sku name. + +- Default value: `PerGB2018` + +- Allowed values: `CapacityReservation`, `Free`, `LACluster`, `PerGB2018`, `PerNode`, `Premium`, `Standalone`, `Standard` + +### parLogAnalyticsWorkspaceCapacityReservationLevel + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. + +- Default value: `100` + +- Allowed values: `100`, `200`, `300`, `400`, `500`, `1000`, `2000`, `5000` + +### parLogAnalyticsWorkspaceLogRetentionInDays + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Number of days of log retention for Log Analytics Workspace. + +- Default value: `365` + +### parLogAnalyticsWorkspaceSolutions + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Solutions that will be added to the Log Analytics Workspace. + +- Default value: `AgentHealthAssessment AntiMalware ChangeTracking Security SecurityInsights SQLAdvancedThreatProtection SQLVulnerabilityAssessment SQLAssessment Updates VMInsights` + +- Allowed values: `AgentHealthAssessment`, `AntiMalware`, `ChangeTracking`, `Security`, `SecurityInsights`, `ServiceMap`, `SQLAdvancedThreatProtection`, `SQLVulnerabilityAssessment`, `SQLAssessment`, `Updates`, `VMInsights` + +### parLogAnalyticsWorkspaceLinkAutomationAccount + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace should be linked with the automation account. + +- Default value: `True` + +### parAutomationAccountName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation account name. + +- Default value: `alz-automation-account` + +### parAutomationAccountLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. + +- Default value: `[resourceGroup().location]` + +### parAutomationAccountUseManagedIdentity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation Account - use managed identity. + +- Default value: `True` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parAutomationAccountTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to Automation Account. + +- Default value: `[parameters('parTags')]` + +### parLogAnalyticsWorkspaceTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to Log Analytics Workspace. + +- Default value: `[parameters('parTags')]` + +### parUseSentinelClassicPricingTiers + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outLogAnalyticsWorkspaceName | string | +outLogAnalyticsWorkspaceId | string | +outLogAnalyticsCustomerId | string | +outLogAnalyticsSolutions | array | +outAutomationAccountName | string | +outAutomationAccountId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/logging/logging.json" + }, + "parameters": { + "parLogAnalyticsWorkspaceName": { + "value": "alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "[resourceGroup().location]" + }, + "parLogAnalyticsWorkspaceSkuName": { + "value": "PerGB2018" + }, + "parLogAnalyticsWorkspaceCapacityReservationLevel": { + "value": 100 + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parLogAnalyticsWorkspaceLinkAutomationAccount": { + "value": true + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parAutomationAccountLocation": { + "value": "[resourceGroup().location]" + }, + "parAutomationAccountUseManagedIdentity": { + "value": true + }, + "parTags": { + "value": {} + }, + "parAutomationAccountTags": { + "value": "[parameters('parTags')]" + }, + "parLogAnalyticsWorkspaceTags": { + "value": "[parameters('parTags')]" + }, + "parUseSentinelClassicPricingTiers": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/logging/logging.bicep b/dependencies/infra-as-code/bicep/modules/logging/logging.bicep new file mode 100644 index 00000000..91716214 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/logging.bicep @@ -0,0 +1,169 @@ +metadata name = 'ALZ Bicep - Logging Module' +metadata description = 'ALZ Bicep Module used to set up Logging' + +@sys.description('Log Analytics Workspace name.') +param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' + +@sys.description('Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') +param parLogAnalyticsWorkspaceLocation string = resourceGroup().location + +@allowed([ + 'CapacityReservation' + 'Free' + 'LACluster' + 'PerGB2018' + 'PerNode' + 'Premium' + 'Standalone' + 'Standard' +]) +@sys.description('Log Analytics Workspace sku name.') +param parLogAnalyticsWorkspaceSkuName string = 'PerGB2018' + +@allowed([ + 100 + 200 + 300 + 400 + 500 + 1000 + 2000 + 5000 +]) +@sys.description('Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation.') +param parLogAnalyticsWorkspaceCapacityReservationLevel int = 100 + +@minValue(30) +@maxValue(730) +@sys.description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays int = 365 + +@allowed([ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'ServiceMap' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' +]) +@sys.description('Solutions that will be added to the Log Analytics Workspace.') +param parLogAnalyticsWorkspaceSolutions array = [ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' +] + +@sys.description('Log Analytics Workspace should be linked with the automation account.') +param parLogAnalyticsWorkspaceLinkAutomationAccount bool = true + +@sys.description('Automation account name.') +param parAutomationAccountName string = 'alz-automation-account' + +@sys.description('Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') +param parAutomationAccountLocation string = resourceGroup().location + +@sys.description('Automation Account - use managed identity.') +param parAutomationAccountUseManagedIdentity bool = true + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Tags you would like to be applied to Automation Account.') +param parAutomationAccountTags object = parTags + +@sys.description('Tags you would like to be applied to Log Analytics Workspace.') +param parLogAnalyticsWorkspaceTags object = parTags + +@sys.description('Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier.') +param parUseSentinelClassicPricingTiers bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d' + +resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { + name: parAutomationAccountName + location: parAutomationAccountLocation + tags: parAutomationAccountTags + identity: parAutomationAccountUseManagedIdentity ? { + type: 'SystemAssigned' + } : null + properties: { + sku: { + name: 'Basic' + } + encryption: { + keySource: 'Microsoft.Automation' + } + } +} + +resource resLogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { + name: parLogAnalyticsWorkspaceName + location: parLogAnalyticsWorkspaceLocation + tags: parLogAnalyticsWorkspaceTags + properties: { + sku: { + name: parLogAnalyticsWorkspaceSkuName + capacityReservationLevel: parLogAnalyticsWorkspaceSkuName == 'CapacityReservation' ? parLogAnalyticsWorkspaceCapacityReservationLevel : null + } + retentionInDays: parLogAnalyticsWorkspaceLogRetentionInDays + } +} + +resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: { + name: '${solution}(${resLogAnalyticsWorkspace.name})' + location: parLogAnalyticsWorkspaceLocation + tags: parTags + properties: solution == 'SecurityInsights' ? { + workspaceResourceId: resLogAnalyticsWorkspace.id + sku: parUseSentinelClassicPricingTiers ? null : { + name: 'Unified' + } + } : { + workspaceResourceId: resLogAnalyticsWorkspace.id + } + plan: { + name: '${solution}(${resLogAnalyticsWorkspace.name})' + product: 'OMSGallery/${solution}' + publisher: 'Microsoft' + promotionCode: '' + } +}] + +resource resLogAnalyticsLinkedServiceForAutomationAccount 'Microsoft.OperationalInsights/workspaces/linkedServices@2020-08-01' = if (parLogAnalyticsWorkspaceLinkAutomationAccount) { + parent: resLogAnalyticsWorkspace + name: 'Automation' + properties: { + resourceId: resAutomationAccount.id + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' + params: {} +} + +output outLogAnalyticsWorkspaceName string = resLogAnalyticsWorkspace.name +output outLogAnalyticsWorkspaceId string = resLogAnalyticsWorkspace.id +output outLogAnalyticsCustomerId string = resLogAnalyticsWorkspace.properties.customerId +output outLogAnalyticsSolutions array = parLogAnalyticsWorkspaceSolutions + +output outAutomationAccountName string = resAutomationAccount.name +output outAutomationAccountId string = resAutomationAccount.id diff --git a/dependencies/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png new file mode 100644 index 00000000..8de53129 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json new file mode 100644 index 00000000..51abbf1c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceName": { + "value": "alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceSkuName": { + "value": "PerGB2018" + }, + "parLogAnalyticsWorkspaceCapacityReservationLevel": { + "value": 100 + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parLogAnalyticsWorkspaceLinkAutomationAccount": { + "value": true + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parAutomationAccountLocation": { + "value": "eastus2" + }, + "parAutomationAccountUseManagedIdentity": { + "value": true + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parUseSentinelClassicPricingTiers": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json new file mode 100644 index 00000000..a962c9a3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parAutomationAccountLocation": { + "value": "eastus2" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json new file mode 100644 index 00000000..5881fbcd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceName": { + "value": "alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceSkuName": { + "value": "PerGB2018" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parLogAnalyticsWorkspaceLinkAutomationAccount": { + "value": true + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parAutomationAccountUseManagedIdentity": { + "value": true + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json new file mode 100644 index 00000000..04d9b40d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep new file mode 100644 index 00000000..11612fdc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep @@ -0,0 +1,44 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_logging '../logging.bicep' = { + name: 'baseline_logging' + params: { + parLogAnalyticsWorkspaceLocation: location + parAutomationAccountLocation: location + parLogAnalyticsWorkspaceName: 'alz-log-analytics' + parLogAnalyticsWorkspaceSkuName: 'PerGB2018' + parLogAnalyticsWorkspaceSolutions: [ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' + ] + parAutomationAccountName: 'alz-automation-account' + parAutomationAccountUseManagedIdentity: true + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..8988086e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/logging/samples/baseline.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..71927f76 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/logging/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep new file mode 100644 index 00000000..c7c9f529 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep @@ -0,0 +1,27 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_logging '../logging.bicep' = { + name: 'minimum_logging' + params: { + parLogAnalyticsWorkspaceLocation: location + parAutomationAccountLocation: location + } +} diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/README.md b/dependencies/infra-as-code/bicep/modules/managementGroups/README.md new file mode 100644 index 00000000..0c721037 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/README.md @@ -0,0 +1,200 @@ +# Module: Management Groups + +The Management Groups module deploys a management group hierarchy in a customer's tenant under the `Tenant Root Group`. This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment. The hierarchy can be modified by editing `managementGroups.bicep`. The hierarchy created by the deployment is: + +- Tenant Root Group + - Top Level Management Group (defined by parameter `parTopLevelManagementGroupPrefix`) + - Platform + - Management + - Connectivity + - Identity + - Landing Zones + - Corp + - Online + - Sandbox + - Decommissioned + +## Parameters + +- [Link to Parameters](generateddocs/managementGroups.bicep.md) + +### Child Platform & Landing Zone Management Groups Flexibility + +This module allows some flexibility for deploying child Platform & Landing Zone Management Groups, e.g. Management Groups that live beneath the Platform & Landing Zones Management Group. This flexibility is controlled by two/three parameters which are detailed below. All of these parameters can be used together to tailor the child Landing Zone Management Groups. + +#### Platform +- `parPlatformMgAlzDefaultsEnable` + - Boolean - defaults to `true` + - **Required** + - Deploys following child Platform Management groups if set to `true`: + - `Management` + - `Connectivity` + - `Identity` + - *These are the default ALZ Management Groups as per the conceptual architecture* +- `parPlatformMgChildren` + - Object - default is an empty object `{}` + - **Optional** + - Deploys whatever you specify in the object as child Landing Zone Management groups. + +These two parameters are then used to collate a single variable that is used to create the child Platform Management Groups. Duplicates are removed if entered. This is done by using the `union()` function in bicep. + +> Investigate the variable called `varPlatformMgChildrenUnioned` if you want to see how this works in the module. + +#### Landing Zones +- `parLandingZoneMgAlzDefaultsEnable` + - Boolean - defaults to `true` + - **Required** + - Deploys following child Landing Zone Management groups if set to `true`: + - `Corp` + - `Online` + - *These are the default ALZ Management Groups as per the conceptual architecture* +- `parLandingZoneMgConfidentialEnable` + - Boolean - defaults to `false` + - **Required** + - Deploys following child Landing Zone Management groups if set to `true`: + - `Confidential Corp` + - `Confidential Online` +- `parLandingZoneMgChildren` + - Object - default is an empty object `{}` + - **Optional** + - Deploys whatever you specify in the object as child Landing Zone Management groups. + +These three parameters are then used to collate a single variable that is used to create the child Landing Zone Management Groups. Duplicates are removed if entered. This is done by using the `union()` function in bicep. + +> Investigate the variable called `varLandingZoneMgChildrenUnioned` if you want to see how this works in the module. + +#### `parLandingZoneMgChildren` and `parPlatformMgChildren` Input Examples + +Below are some examples of how to use this input parameter in both Bicep & JSON formats. + +##### Bicep Example + +```bicep +parLandingZoneMgChildren: { + pci: { + displayName: 'PCI' + } + 'another-example': { + displayName: 'Another Example' + } +} + +parPlatformMgChildren: { + security: { + displayName: 'Security' + } + 'yet-another-example': { + displayName: 'Yet Another Example' + } +} +``` + +##### JSON Parameter File Input Example + +```json +"parLandingZoneMgChildren": { + "value": { + "pci": { + "displayName": "PCI" + }, + "another-example": { + "displayName": "Another Example" + } + } +}, +"parPlatformMgChildren": { + "value": { + "security": { + "displayName": "Security" + }, + "yet-another-example": { + "displayName": "Yet Another Example" + } + } +} +``` + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------------------------------ | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- | +| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz | +| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform | +| outPlatformChildrenManagementGroupIds | array | `[/providers/Microsoft.Management/managementGroups/alz-platform-management, /providers/Microsoft.Management/managementGroups/alz-platform-connectivity, /providers/Microsoft.Management/managementGroups/alz-platform-identity]` | +| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones | +| outLandingZoneChildrenManagementGroupIds | array | `[/providers/Microsoft.Management/managementGroups/alz-landingzones-corp, /providers/Microsoft.Management/managementGroups/alz-landingzones-online]` | +| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox | +| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned | +| outTopLevelManagementGroupName | string | Azure Landing Zones | +| outPlatformManagementGroupName | string | Platform | +| outPlatformChildrenManagementGroupNames | array | `[Management, Connectivity, Identity]` | +| outLandingZonesManagementGroupName | string | Landing Zones | +| outLandingZoneChildrenManagementGroupNames | array | `[Corp, Online]` | +| outSandboxManagementGroupName | string | Sandbox | +| outDecommissionedManagementGroupName | string | Decommissioned | + +## Deployment + +In this example, the management groups are created at the `Tenant Root Group` through a tenant-scoped deployment. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-MGDeployment-${dateYMD}" +LOCATION="eastus" +TEMPLATEFILE="infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" +PARAMETERS="@infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json" + +az deployment tenant create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-MGDeployment-${dateYMD}" +LOCATION="chinaeast2" +TEMPLATEFILE="infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" +PARAMETERS="@infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json" + +az deployment tenant create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-MGDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'EastUS' + TemplateFile = "infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json' +} +New-AzTenantDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-MGDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + TemplateFile = "infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json' +} +New-AzTenantDeployment @inputObject +``` + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md b/dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md new file mode 100644 index 00000000..9264a56f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md @@ -0,0 +1,155 @@ +# ALZ Bicep - Management Groups Module + +ALZ Bicep Module to set up Management Group structure + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. This management group will be created as part of the deployment. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parTopLevelManagementGroupDisplayName | No | Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter. +parTopLevelManagementGroupParentId | No | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group. +parLandingZoneMgAlzDefaultsEnable | No | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. +parPlatformMgAlzDefaultsEnable | No | Deploys Management, Identity and Connectivity Management Groups beneath Platform Management Group if set to true. +parLandingZoneMgConfidentialEnable | No | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. +parLandingZoneMgChildren | No | Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. +parPlatformMgChildren | No | Dictionary Object to allow additional or different child Management Groups of Platform Management Group to be deployed. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. This management group will be created as part of the deployment. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parTopLevelManagementGroupDisplayName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter. + +- Default value: `Azure Landing Zones` + +### parTopLevelManagementGroupParentId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group. + +### parLandingZoneMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. + +- Default value: `True` + +### parPlatformMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Management, Identity and Connectivity Management Groups beneath Platform Management Group if set to true. + +- Default value: `True` + +### parLandingZoneMgConfidentialEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. + +- Default value: `False` + +### parLandingZoneMgChildren + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. + +### parPlatformMgChildren + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Dictionary Object to allow additional or different child Management Groups of Platform Management Group to be deployed. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outTopLevelManagementGroupId | string | +outPlatformManagementGroupId | string | +outPlatformChildrenManagementGroupIds | array | +outLandingZonesManagementGroupId | string | +outLandingZoneChildrenManagementGroupIds | array | +outSandboxManagementGroupId | string | +outDecommissionedManagementGroupId | string | +outTopLevelManagementGroupName | string | +outPlatformManagementGroupName | string | +outPlatformChildrenManagementGroupNames | array | +outLandingZonesManagementGroupName | string | +outLandingZoneChildrenManagementGroupNames | array | +outSandboxManagementGroupName | string | +outDecommissionedManagementGroupName | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/managementGroups/managementGroups.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parTopLevelManagementGroupDisplayName": { + "value": "Azure Landing Zones" + }, + "parTopLevelManagementGroupParentId": { + "value": "" + }, + "parLandingZoneMgAlzDefaultsEnable": { + "value": true + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, + "parLandingZoneMgChildren": { + "value": {} + }, + "parPlatformMgChildren": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep b/dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep new file mode 100644 index 00000000..97280d5b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep @@ -0,0 +1,223 @@ +targetScope = 'tenant' + +metadata name = 'ALZ Bicep - Management Groups Module' +metadata description = 'ALZ Bicep Module to set up Management Group structure' + +@sys.description('Prefix for the management group hierarchy. This management group will be created as part of the deployment.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.') +@minLength(2) +param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' + +@sys.description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.') +param parTopLevelManagementGroupParentId string = '' + +@sys.description('Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.') +param parLandingZoneMgAlzDefaultsEnable bool = true + +@sys.description('Deploys Management, Identity and Connectivity Management Groups beneath Platform Management Group if set to true.') +param parPlatformMgAlzDefaultsEnable bool = true + +@sys.description('Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.') +param parLandingZoneMgConfidentialEnable bool = false + +@sys.description('Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed.') +param parLandingZoneMgChildren object = {} + +@sys.description('Dictionary Object to allow additional or different child Management Groups of Platform Management Group to be deployed.') +param parPlatformMgChildren object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Platform and Child Management Groups +var varPlatformMg = { + name: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + displayName: 'Platform' +} + +// Used if parPlatformMgAlzDefaultsEnable == true +var varPlatformMgChildrenAlzDefault = { + connectivity: { + displayName: 'Connectivity' + } + identity: { + displayName: 'Identity' + } + management: { + displayName: 'Management' + } +} + +// Landing Zones & Child Management Groups +var varLandingZoneMg = { + name: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + displayName: 'Landing Zones' +} + +// Used if parLandingZoneMgAlzDefaultsEnable == true +var varLandingZoneMgChildrenAlzDefault = { + corp: { + displayName: 'Corp' + } + online: { + displayName: 'Online' + } +} + +// Used if parLandingZoneMgConfidentialEnable == true +var varLandingZoneMgChildrenConfidential = { + 'confidential-corp': { + displayName: 'Confidential Corp' + } + 'confidential-online': { + displayName: 'Confidential Online' + } +} + +// Build final onject based on input parameters for child MGs of LZs +var varLandingZoneMgChildrenUnioned = (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential, parLandingZoneMgChildren) : (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenAlzDefault, parLandingZoneMgChildren) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? varLandingZoneMgChildrenAlzDefault : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenConfidential, parLandingZoneMgChildren) : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? varLandingZoneMgChildrenConfidential : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? parLandingZoneMgChildren : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? {} : {} +var varPlatformMgChildrenUnioned = (parPlatformMgAlzDefaultsEnable && (!empty(parPlatformMgChildren))) ? union(varPlatformMgChildrenAlzDefault, parPlatformMgChildren) : (parPlatformMgAlzDefaultsEnable && (empty(parPlatformMgChildren))) ? varPlatformMgChildrenAlzDefault : (!parPlatformMgAlzDefaultsEnable && (!empty(parPlatformMgChildren))) ? parPlatformMgChildren : (!parPlatformMgAlzDefaultsEnable && (empty(parPlatformMgChildren))) ? {} : {} + +// Sandbox Management Group +var varSandboxMg = { + name: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' + displayName: 'Sandbox' +} + +// Decomissioned Management Group +var varDecommissionedMg = { + name: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + displayName: 'Decommissioned' +} + +// Customer Usage Attribution Id +var varCuaid = '9b7965a0-d77c-41d6-85ef-ec3dfea4845b' + +// Level 1 +resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: parTopLevelManagementGroupDisplayName + details: { + parent: { + id: empty(parTopLevelManagementGroupParentId) ? '/providers/Microsoft.Management/managementGroups/${tenant().tenantId}' : parTopLevelManagementGroupParentId + } + } + } +} + +// Level 2 +resource resPlatformMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varPlatformMg.name + properties: { + displayName: varPlatformMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +resource resLandingZonesMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varLandingZoneMg.name + properties: { + displayName: varLandingZoneMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +resource resSandboxMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varSandboxMg.name + properties: { + displayName: varSandboxMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +resource resDecommissionedMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varDecommissionedMg.name + properties: { + displayName: varDecommissionedMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +// Level 3 - Child Management Groups under Landing Zones MG +resource resLandingZonesChildMgs 'Microsoft.Management/managementGroups@2023-04-01' = [for mg in items(varLandingZoneMgChildrenUnioned): if (!empty(varLandingZoneMgChildrenUnioned)) { + name: '${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: mg.value.displayName + details: { + parent: { + id: resLandingZonesMg.id + } + } + } +}] + +//Level 3 - Child Management Groups under Platform MG +resource resPlatformChildMgs 'Microsoft.Management/managementGroups@2023-04-01' = [for mg in items(varPlatformMgChildrenUnioned): if (!empty(varPlatformMgChildrenUnioned)) { + name: '${parTopLevelManagementGroupPrefix}-platform-${mg.key}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: mg.value.displayName + details: { + parent: { + id: resPlatformMg.id + } + } + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +// Output Management Group IDs +output outTopLevelManagementGroupId string = resTopLevelMg.id + +output outPlatformManagementGroupId string = resPlatformMg.id +output outPlatformChildrenManagementGroupIds array = [for mg in items(varPlatformMgChildrenUnioned): '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupPrefix}-platform-${mg.key}${parTopLevelManagementGroupSuffix}'] + +output outLandingZonesManagementGroupId string = resLandingZonesMg.id +output outLandingZoneChildrenManagementGroupIds array = [for mg in items(varLandingZoneMgChildrenUnioned): '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}${parTopLevelManagementGroupSuffix}' ] + +output outSandboxManagementGroupId string = resSandboxMg.id + +output outDecommissionedManagementGroupId string = resDecommissionedMg.id + +// Output Management Group Names +output outTopLevelManagementGroupName string = resTopLevelMg.name + +output outPlatformManagementGroupName string = resPlatformMg.name +output outPlatformChildrenManagementGroupNames array = [for mg in items(varPlatformMgChildrenUnioned): mg.value.displayName] + +output outLandingZonesManagementGroupName string = resLandingZonesMg.name +output outLandingZoneChildrenManagementGroupNames array = [for mg in items(varLandingZoneMgChildrenUnioned): mg.value.displayName] + +output outSandboxManagementGroupName string = resSandboxMg.name + +output outDecommissionedManagementGroupName string = resDecommissionedMg.name diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png new file mode 100644 index 00000000..64572c22 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..cdd9568c Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json b/dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json new file mode 100644 index 00000000..1111b946 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parTopLevelManagementGroupDisplayName": { + "value": "Azure Landing Zones" + }, + "parTopLevelManagementGroupParentId": { + "value": "" + }, + "parLandingZoneMgAlzDefaultsEnable": { + "value": true + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, + "parLandingZoneMgChildren": { + "value": {} + }, + "parPlatformMgChildren": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json b/dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json new file mode 100644 index 00000000..04dfd1df --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep new file mode 100644 index 00000000..dadf03f2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep @@ -0,0 +1,38 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'tenant' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_managementgroups'../managementGroups.bicep' = { + name: 'baseline managementGroups' + params: { + parTopLevelManagementGroupParentId: '00000000-0000-0000-0000-000000000000' + parLandingZoneMgChildren: { + 'mg-landingzone': { + displayName: 'Landing Zone' + children: { + 'mg-operations': { + displayName: 'Operations' + } + } + } + } + parTopLevelManagementGroupPrefix: 'alz' + parTopLevelManagementGroupDisplayName: 'Azure Landing Zones' + parLandingZoneMgAlzDefaultsEnable: true + parLandingZoneMgConfidentialEnable: false + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..d2a42819 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..04108290 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep new file mode 100644 index 00000000..1e4d674f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep @@ -0,0 +1,33 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'tenant' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_managementgroups '../managementGroups.bicep' = { + name: 'minimum managementGroups' + params: { + parTopLevelManagementGroupParentId: '00000000-0000-0000-0000-000000000000' + parLandingZoneMgChildren: { + 'mg-landingzone': { + displayName: 'Landing Zone' + children: { + 'mg-operations': { + displayName: 'Operations' + } + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/README.md b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/README.md new file mode 100644 index 00000000..b53ce685 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/README.md @@ -0,0 +1,70 @@ +# Module: Enable Diagnostic Settings on a Management Group + +This module enables the supported Diagnostic Settings categories on a Management Group to an existing Azure Log Analytics Workspace. +> Consider using the `mgDiagSettingsAll` orchestration module instead to simplify configuring the Diagnostic Settings for all your Management Group hierarchy in a single module. [infra-as-code/bicep/orchestration/mgDiagSettingsAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettingsAll) + +## Parameters + +- [Link to Parameters](generateddocs/mgDiagSettings.bicep.md) + +## Outputs + +*The module will not generate any outputs.* + +## Deployment + +The inputs for this module are defined in `parameters/mgDiagSettings.parameters.all.json`. The Diagnostic Settings resource will be named toLa but can be changed in the module if desired. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +az deployment mg create \ + --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \ + --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \ + --location eastus \ + --management-group-id alz +``` + +OR + +```bash +# For Azure China regions +az deployment mg create \ + --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \ + --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \ + --location chinaeast2 \ + --management-group-id alz +``` + +### PowerShell + +```powershell +# For Azure global regions +New-AzManagementGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json ` + -Location eastus ` + -ManagementGroupId alz +``` + +OR + +```powershell +# For Azure China regions +New-AzManagementGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json ` + -Location chinaeast2 ` + -ManagementGroupId alz +``` + +## Validation + +To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell. + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md new file mode 100644 index 00000000..41197208 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md @@ -0,0 +1,46 @@ +# ALZ Bicep - Management Group Diagnostic Settings + +Module used to set up Diagnostic Settings for Management Groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLogAnalyticsWorkspaceResourceId | Yes | Log Analytics Workspace Resource ID. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parLogAnalyticsWorkspaceResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.json" + }, + "parameters": { + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png new file mode 100644 index 00000000..cdfbc1e0 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep new file mode 100644 index 00000000..0cf1e743 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep @@ -0,0 +1,37 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Management Group Diagnostic Settings' +metadata description = 'Module used to set up Diagnostic Settings for Management Groups' + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '5d17f1c2-f17b-4426-9712-0cd2652c4435' + +resource mgDiagSet 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { + name: 'toLa' + properties: { + workspaceId: parLogAnalyticsWorkspaceResourceId + logs: [ + { + category: 'Administrative' + enabled: true + } + { + category: 'Policy' + enabled: true + } + ] + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json new file mode 100644 index 00000000..e20f3a31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json new file mode 100644 index 00000000..e20f3a31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/README.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/README.md new file mode 100644 index 00000000..55cd4f0f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/README.md @@ -0,0 +1,156 @@ +# Module: Policy Assignments + +This module deploys Azure Policy Assignments to a specified Management Group and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies). + +> If you are looking for the default ALZ policy assignments check out [`./alzDefaults` directory](alzDefaults/README.md) + +If you wish to add your own additional Azure Policy Assignments please review [How Does ALZ-Bicep Implement Azure Policies?](https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive) and more specifically [Adding Custom Azure Policy Definitions](https://github.com/Azure/ALZ-Bicep/wiki/AddingPolicyDefs) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/policyAssignmentManagementGroup.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + +## Outputs + +The module does not generate any outputs. + +## Deployment + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Deny Effect + +In this example, the `Deny-PublicIP` custom policy definition will be deployed/assigned to the `alz-landingzones` management group. + +#### Azure CLI - Deny + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alz-PolicyDenyAssignmentsDeployment-${dateYMD}" + +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json" +LOCATION="eastus" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alz-PolicyDenyAssignmentsDeployment-${dateYMD}" + +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json" +LOCATION="chinaeast2" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +#### PowerShell - Deny + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDenyAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ManagementGroupId = 'alz-landingzones' + Location = 'eastus' + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +} +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDenyAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ManagementGroupId = 'alz-landingzones' + Location = 'chinaeast2' + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +} +New-AzManagementGroupDeployment @inputObject +``` + +### DeployIfNotExists Effect + +There are two different sets of input parameters files; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to a few Microsoft Defender for Cloud built-in policies which are not available in Azure China. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------------------------- | --------------------------------------------------------------- | + | Global regions | policyAssignmentManagementGroup.bicep | parameters/policyAssignmentManagementGroup.dine.parameters.all.json | + | China regions | policyAssignmentManagementGroup.bicep | parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json | + + +In this example, the `Deploy-MDFC-Config` custom policy definition will be deployed/assigned to the `alz-landingzones` management group (intermediate root management group). And the managed identity associated with the policy will also be assigned to the `alz-platform` management group, as defined in the parameter file: `parameters/policyAssignmentManagementGroup.dine.parameters.all.json` or `parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json` +#### Azure CLI - DINE + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDineAssignments-${dateYMD}" +LOCATION="eastus" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json" + +az deployment mg create --name $NAME --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDineAssignments-${dateYMD}" +LOCATION="eastus" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json" + +az deployment mg create --name $NAME --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +#### PowerShell - DINE + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDineAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz-landingzones' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + TemplateParameterFile = '@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDineAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz-landingzones' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md new file mode 100644 index 00000000..8d810922 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md @@ -0,0 +1,86 @@ +# Module: ALZ Default Policy Assignments + +This module deploys the default Azure Landing Zone Azure Policy Assignments to the Management Group Hierarchy and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies). + +Exclusion of specific ALZ default policies which does not fit your organization is supported, check out [Exclude specific policy assignments from ALZ Default Policy Assignments](https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments) + +If you wish to add your own additional Azure Policy Assignments please review [How Does ALZ-Bicep Implement Azure Policies?](https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive) and more specifically [Adding Custom Azure Policy Definitions](https://github.com/Azure/ALZ-Bicep/wiki/AddingPolicyDefs) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/alzDefaultPolicyAssignments.bicep.md) +- [Parameters for Azure China Cloud](generateddocs/mc-alzDefaultPolicyAssignments.bicep.md) + +## Outputs + +The module does not generate any outputs. + +## Deployment + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +> **Important:** If you decide to not use a DDoS Network Protection plan in your environment and therefore leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) then the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. For deployment in Azure China, leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) because the DDoS Protection feature is not available in Azure China. +> +> However, if you later do decide to deploy an DDoS Network Protection Plan, you will need to remember to come back and update the parameter `parDdosProtectionPlanId` with the resource ID of the DDoS Network Protection Plan to ensure the policy is applied to the relevant Management Groups. You can then use a policy [remediation task](https://docs.microsoft.com/azure/governance/policy/how-to/remediate-resources) to bring all non-compliant VNETs back into compliance, once a [compliance scan](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers) has taken place. + + +### Azure CLI +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alzPolicyAssignmentDefaults-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alzPolicyAssignmentDefaults-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-alzPolicyAssignmentDefaultsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alzPolicyAssignmentDefaultsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/mc-alzDefaultPolicyAssignments.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep new file mode 100644 index 00000000..79c1ff96 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -0,0 +1,1416 @@ +metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' +metadata description = 'This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy' + +@sys.description('Prefix for the management group hierarchy.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') +param parPlatformMgAlzDefaultsEnable bool = true + +@sys.description('Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups.') +param parLandingZoneChildrenMgAlzDefaultsEnable bool = true + +@sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.') +param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceId string = '' + +@sys.description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' + +@sys.description('Automation account name.') +param parAutomationAccountName string = 'alz-automation-account' + +@sys.description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' + +@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.') +param parDdosProtectionPlanId string = '' + +@sys.description('Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group.') +param parPrivateDnsResourceGroupId string = '' + +@sys.description('Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules.') +param parPrivateDnsZonesNamesToAuditInCorp array = [] + +@sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') +param parDisableAlzDefaultPolicies bool = false + +@sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') +param parVmBackupExclusionTagName string = '' + +@sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.') +param parVmBackupExclusionTagValue array = [] + +@sys.description('Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments') +param parExcludedPolicyAssignments array = [] + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] + +var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceId, '/')[4] + +var varLogAnalyticsWorkspaceSubscription = split(parLogAnalyticsWorkspaceResourceId, '/')[2] + +// Customer Usage Attribution Id Telemetry +var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' + +// ZTN Telemetry +var varZtnP1CuaId = '4eaba1fc-d30a-4e63-a57f-9e6c3d86a318' +var varZtnP1Trigger = ((!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name))) ? true : false + +// **Variables** +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: 'ALZBicep' + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' +} + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootDeployMdfcConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResoruceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMDEnpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpoints-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootEnforceAcsb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAcsb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMdfcOssDb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcOssDb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMdfcSqlAtp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcSqlAtp-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootAuditUnusedRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditUnusedRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDenyClassicRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyClassicRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDenyUnmanagedDisks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyUnmanagedDisks-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceTlsSsl: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployAzSqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzSQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpDenyHybridNet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyHybridNet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpAuditPeDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditPeDnsZones-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentDecommEnforceAlz: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAlz-decomm-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentSandboxEnforceAlz: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAlz-sbox-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) +} + +// Policy Assignments Modules Variables + +var varPolicyAssignmentAuditAppGWWAF = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json') +} + +var varPolicyAssignmentAuditPeDnsZones = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json') +} + +var varPolicyAssignmentAuditUnusedResources = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json') +} + +var varPolicyAssignmentDenyClassicResources = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json') +} + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json') +} + +var varPolicyAssignmentDenyHybridNetworking = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json') +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json') +} + +var varPolicyAssignmentDenyMgmtPortsInternet = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json') +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json') +} + +var varPolicyAssignmentDenyPublicIPOnNIC = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json') +} + +var varPolicyAssignmentDenyPublicIP = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json') +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json') +} + +var varPolicyAssignmentDenyUnmanagedDisk = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json') +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployAzActivityLog = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json') +} + +var varPolicyAssignmentDeployAzSqlDbAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json') +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json') +} + +var varPolicyAssignmentDeployMDEndpoints = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCOssDb = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCSqlAtp = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json') +} + +var varPolicyAssignmentDeployPrivateDNSZones = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json') +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') +} + +var varPolicyAssignmentDeploySQLTDE = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json') +} + +var varPolicyAssignmentDeploySQLThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json') +} + +var varPolicyAssignmentDeployVMBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json') +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json') +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') +} + +var varPolicyAssignmentEnforceACSB = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json') +} + +var varPolicyAssignmentEnforceALZDecomm = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json') +} + +var varPolicyAssignmentEnforceALZSandbox = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json') +} + +var varPolicyAssignmentEnforceGRKeyVault = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json') +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') +} + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRbacRoleDefinitionIds = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + logAnalyticsContributor: '92aaf0da-9dab-42b6-94a3-d43ce8d16293' + sqlSecurityManager: '056cd41c-7e88-42e1-933e-88ba6a50c9c3' + vmContributor: '9980e02c-c2be-4d73-94e8-173b1dc7cf3c' +} + +// Management Groups Variables - Used For Policy Assignments +var varManagementGroupIds = { + intRoot: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + platform: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformManagement: parPlatformMgAlzDefaultsEnable ? '${parTopLevelManagementGroupPrefix}-platform-management${parTopLevelManagementGroupSuffix}' : '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformConnectivity: parPlatformMgAlzDefaultsEnable ? '${parTopLevelManagementGroupPrefix}-platform-connectivity${parTopLevelManagementGroupSuffix}' : '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformIdentity: parPlatformMgAlzDefaultsEnable ? '${parTopLevelManagementGroupPrefix}-platform-identity${parTopLevelManagementGroupSuffix}' : '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp${parTopLevelManagementGroupSuffix}' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialCorp: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialOnline: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online${parTopLevelManagementGroupSuffix}' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' +} + +// Corp Management Groups - Used For Policy Assignments Restricting Public IPs +var varCorpManagementGroupIds = [ + varManagementGroupIds.landingZonesCorp + varManagementGroupIds.landingZonesConfidentialCorp +] + +var varTopLevelManagementGroupResourceId = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIds.intRoot}' + +// Deploy-Private-DNS-Zones Variables + +var varPrivateDnsZonesResourceGroupSubscriptionId = !empty(parPrivateDnsResourceGroupId) ? split(parPrivateDnsResourceGroupId, '/')[2] : '' + +var varPrivateDnsZonesBaseResourceId = '${parPrivateDnsResourceGroupId}/providers/Microsoft.Network/privateDnsZones/' + +var varPrivateDnsZonesFinalResourceIds = { + azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' + azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureAutomationDSCHybridPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' + azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureCosmosCassandraPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cassandra.cosmos.azure.com' + azureCosmosGremlinPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.gremlin.cosmos.azure.com' + azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' + azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' + azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' + azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' + azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' + azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureMediaServicesKeyPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMediaServicesLivePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMediaServicesStreamPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMonitorPrivateDnsZoneId1: '${varPrivateDnsZonesBaseResourceId}privatelink.monitor.azure.com' + azureMonitorPrivateDnsZoneId2: '${varPrivateDnsZonesBaseResourceId}privatelink.oms.opinsights.azure.com' + azureMonitorPrivateDnsZoneId3: '${varPrivateDnsZonesBaseResourceId}privatelink.ods.opinsights.azure.com' + azureMonitorPrivateDnsZoneId4: '${varPrivateDnsZonesBaseResourceId}privatelink.agentsvc.azure-automation.net' + azureMonitorPrivateDnsZoneId5: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' + azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' + azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' + azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' + azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' + azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' + azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' + azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' + azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' + azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureRedisCachePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.redis.cache.windows.net' + azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' + azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' + azureServiceBusNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' +} + +// **Scope** +targetScope = 'managementGroup' + +// Optional Deployments for Customer Usage Attribution +module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +module modCustomerUsageAttributionZtnP1 '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut && varZtnP1Trigger) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varZtnP1CuaId}-${uniqueString(deployment().location)}' + params: {} +} + +// Modules - Policy Assignments - Intermediate Root Management Group +// Module - Policy Assignment - Deploy-MDFC-Config +module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCConfig.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCConfig.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + emailSecurityContact: { + value: parMsDefenderForCloudEmailSecurityContact + } + ascExportResourceGroupLocation: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCConfig.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-MDEndpoints +module modPolicyAssignmentIntRootDeployMDEnpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDEndpoints.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDEnpoints + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDEndpoints.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDEndpoints.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AzActivity-Log +module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzActivityLog.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzActivityLog.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAzActivityLog.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-ASC-Monitoring +module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-Resource-Diag +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployResourceDiag.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitoring +module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-Monitoring +module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-ACSB +module modPolicyAssignmentIntRootEnforceAcsb '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceACSB.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootEnforceAcsb + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceACSB.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceACSB.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceACSB.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceACSB.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceACSB.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceACSB.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceACSB.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-MDFC-OssDb +module modPolicyAssignmentIntRootDeployMdfcOssDb '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCOssDb.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcOssDb + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCOssDb.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCOssDb.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCOssDb.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-MDFC-SqlAtp +module modPolicyAssignmentIntRootDeployMdfcSqlAtp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcSqlAtp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCSqlAtp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.sqlSecurityManager + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Audit-UnusedResources +module modPolicyAssignmentIntRootAuditUnusedRes '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditUnusedResources.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootAuditUnusedRes + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditUnusedResources.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditUnusedResources.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditUnusedResources.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditUnusedResources.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditUnusedResources.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditUnusedResources.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditUnusedResources.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-UnmanagedDisk +module modPolicyAssignmentIntRootDenyUnmanagedDisks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyUnmanagedDisk.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDenyUnmanagedDisks + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyUnmanagedDisk.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.enforcementMode + parPolicyAssignmentOverrides: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.overrides + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Classic-Resources +module modPolicyAssignmentIntRootDenyClassicRes '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyClassicResources.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDenyClassicRes + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyClassicResources.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyClassicResources.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyClassicResources.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyClassicResources.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyClassicResources.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyClassicResources.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyClassicResources.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Connectivity Management Group +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { + scope: managementGroup(varManagementGroupIds.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Identity Management Group +// Module - Policy Assignment - Deny-Public-IP +module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIP.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-MgmtPorts-Internet +module modPolicyAssignmentIdentDenyMgmtFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyMgmtPortsFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyMgmtPortsInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + exclusionTagName: { + value: parVmBackupExclusionTagName + } + exclusionTagValue: { + value: parVmBackupExclusionTagValue + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Management Management Group +// Module - Policy Assignment - Deploy-Log-Analytics +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployLogAnalytics.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + rgName: { + value: varLogAnalyticsWorkspaceResourceGroupName + } + workspaceName: { + value: varLogAnalyticsWorkspaceName + } + workspaceRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + dataRetention: { + value: parLogAnalyticsWorkspaceLogRetentionInDays + } + automationAccountName: { + value: parAutomationAccountName + } + automationRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Landing Zones Management Group +// Module - Policy Assignment - Deny-IP-Forwarding +module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIPForwarding.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-MgmtPorts-Internet +module modPolicyAssignmentLzsDenyMgmtFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyMgmtPortsFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyMgmtPortsInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + exclusionTagName: { + value: parVmBackupExclusionTagName + } + exclusionTagValue: { + value: parVmBackupExclusionTagValue + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Storage-http +module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStoragehttp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AKS-Policy +module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.aksContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Escalation-AKS +module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Containers-AKS +module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-AKS-HTTPS +module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAKSHTTPS.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-TLS-SSL +module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceTLSSSL.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTLSSSL.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AzSqlDb-Auditing +module modPolicyAssignmentLzsDeployAzSqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parLogAnalyticsWorkspaceResourceId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.name))) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAzSqlDbAuditing + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzSqlDbAuditing.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalyticsWorkspaceId: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.sqlSecurityManager + ] + parPolicyAssignmentIdentityRoleAssignmentsSubs: [ + varLogAnalyticsWorkspaceSubscription + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-Threat +module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLThreat.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLThreat.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-TDE +module modPolicyAssignmentLzsDeploySqlTde '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLTDE.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlTde + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLTDE.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLTDE.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLTDE.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLTDE.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLTDE.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLTDE.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLTDE.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.sqlSecurityManager + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-GR-KeyVault +module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceGrKeyVault + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceGRKeyVault.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceGRKeyVault.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Audit-AppGW-WAF +module modPolicyAssignmentLzsAuditAppGwWaf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditAppGWWAF.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsAuditAppGwWaf + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditAppGWWAF.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditAppGWWAF.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditAppGWWAF.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Corp Management Group +// Module - Policy Assignment - Deny-Public-Endpoints +module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicEndpoints.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Deploy-Private-DNS-Zones +module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name)) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployPrivateDNSZones.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + azureFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId + } + azureAutomationWebhookPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId + } + azureAutomationDSCHybridPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationDSCHybridPrivateDnsZoneId + } + azureCosmosSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + } + azureCosmosMongoPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + } + azureCosmosCassandraPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosCassandraPrivateDnsZoneId + } + azureCosmosGremlinPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosGremlinPrivateDnsZoneId + } + azureCosmosTablePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosTablePrivateDnsZoneId + } + azureDataFactoryPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId + } + azureDataFactoryPortalPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId + } + azureHDInsightPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId + } + azureMigratePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMigratePrivateDnsZoneId + } + azureStorageBlobPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobPrivateDnsZoneId + } + azureStorageBlobSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobSecPrivateDnsZoneId + } + azureStorageQueuePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageQueuePrivateDnsZoneId + } + azureStorageQueueSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageQueueSecPrivateDnsZoneId + } + azureStorageFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageFilePrivateDnsZoneId + } + azureStorageStaticWebPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebPrivateDnsZoneId + } + azureStorageStaticWebSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebSecPrivateDnsZoneId + } + azureStorageDFSPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSPrivateDnsZoneId + } + azureStorageDFSSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSSecPrivateDnsZoneId + } + azureSynapseSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLPrivateDnsZoneId + } + azureSynapseSQLODPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLODPrivateDnsZoneId + } + azureSynapseDevPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSynapseDevPrivateDnsZoneId + } + azureMediaServicesKeyPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId + } + azureMediaServicesLivePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesLivePrivateDnsZoneId + } + azureMediaServicesStreamPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesStreamPrivateDnsZoneId + } + azureMonitorPrivateDnsZoneId1: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 + } + azureMonitorPrivateDnsZoneId2: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId2 + } + azureMonitorPrivateDnsZoneId3: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId3 + } + azureMonitorPrivateDnsZoneId4: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId4 + } + azureMonitorPrivateDnsZoneId5: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId5 + } + azureWebPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureWebPrivateDnsZoneId + } + azureBatchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + } + azureAppPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + } + azureAsrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId + } + azureIotPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotPrivateDnsZoneId + } + azureKeyVaultPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureKeyVaultPrivateDnsZoneId + } + azureSignalRPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSignalRPrivateDnsZoneId + } + azureAppServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId + } + azureEventGridTopicsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId + } + azureDiskAccessPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId + } + azureCognitiveServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId + } + azureIotHubsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId + } + azureEventGridDomainsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId + } + azureRedisCachePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureRedisCachePrivateDnsZoneId + } + azureAcrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId + } + azureEventHubNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId + } + azureMachineLearningWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId + } + azureServiceBusNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureServiceBusNamespacePrivateDnsZoneId + } + azureCognitiveSearchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parPolicyAssignmentIdentityRoleAssignmentsSubs: [ + varPrivateDnsZonesResourceGroupSubscriptionId + ] + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Deny-Public-IP-On-NIC +module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyPipOnNic}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIPOnNIC.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Deny-HybridNetworking +module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyHybridNetworking.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyHybridNet}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyHybridNetworking.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyHybridNetworking.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyHybridNetworking.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Audit-PeDnsZones +module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditPeDnsZones.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpAuditPeDnsZones}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditPeDnsZones.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditPeDnsZones.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: empty(parPrivateDnsZonesNamesToAuditInCorp) ? {} : { + privateLinkDnsZones: { + value: parPrivateDnsZonesNamesToAuditInCorp + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditPeDnsZones.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Modules - Policy Assignments - Decommissioned Management Group +// Module - Policy Assignment - Enforce-ALZ-Decomm +module modPolicyAssignmentDecommEnforceAlz '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceALZDecomm.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.decommissioned) + name: varModuleDeploymentNames.modPolicyAssignmentDecommEnforceAlz + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceALZDecomm.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceALZDecomm.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceALZDecomm.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Sandbox Management Group +// Module - Policy Assignment - Enforce-ALZ-Sandbox +module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceALZSandbox.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.sandbox) + name: varModuleDeploymentNames.modPolicyAssignmentSandboxEnforceAlz + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceALZSandbox.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceALZSandbox.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceALZSandbox.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json new file mode 100644 index 00000000..03011f7f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json @@ -0,0 +1,114 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "artifacts-parameters":{ + "level": "error" + }, + "no-unused-existing-resources":{ + "level": "error" + }, + "prefer-unquoted-property-names":{ + "level": "error" + }, + "secure-params-in-nested-deploy":{ + "level": "error" + }, + "secure-secrets-in-params":{ + "level": "error" + }, + "use-recent-api-versions":{ + "level": "error" + }, + "use-resource-id-functions":{ + "level": "error" + }, + "use-stable-resource-identifiers":{ + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md new file mode 100644 index 00000000..5cae91a4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -0,0 +1,212 @@ +# ALZ Bicep - ALZ Default Policy Assignments + +This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. +parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups. +parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. +parLogAnalyticsWorkspaceResourceId | No | Log Analytics Workspace Resource ID. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. +parAutomationAccountName | No | Automation account name. +parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. +parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. +parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. +parPrivateDnsZonesNamesToAuditInCorp | No | Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. +parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. +parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. +parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parPlatformMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. + +- Default value: `True` + +### parLandingZoneChildrenMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups. + +- Default value: `True` + +### parLogAnalyticsWorkSpaceAndAutomationAccountLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The region where the Log Analytics Workspace & Automation Account are deployed. + +- Default value: `eastus` + +### parLogAnalyticsWorkspaceResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parLogAnalyticsWorkspaceLogRetentionInDays + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Number of days of log retention for Log Analytics Workspace. + +- Default value: `365` + +### parAutomationAccountName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation account name. + +- Default value: `alz-automation-account` + +### parMsDefenderForCloudEmailSecurityContact + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. + +- Default value: `security_contact@replace_me.com` + +### parDdosProtectionPlanId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. + +### parPrivateDnsResourceGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. + +### parPrivateDnsZonesNamesToAuditInCorp + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. + +### parDisableAlzDefaultPolicies + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Enforcement Mode of all default Policies assignments to Do Not Enforce. + +- Default value: `False` + +### parVmBackupExclusionTagName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. + +### parVmBackupExclusionTagValue + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. + +### parExcludedPolicyAssignments + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneChildrenMgAlzDefaultsEnable": { + "value": true + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parPrivateDnsResourceGroupId": { + "value": "" + }, + "parPrivateDnsZonesNamesToAuditInCorp": { + "value": [] + }, + "parDisableAlzDefaultPolicies": { + "value": false + }, + "parVmBackupExclusionTagName": { + "value": "" + }, + "parVmBackupExclusionTagValue": { + "value": [] + }, + "parExcludedPolicyAssignments": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md new file mode 100644 index 00000000..47872083 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md @@ -0,0 +1,138 @@ +# ALZ Bicep - ALZ Default Policy Assignments + +This policy assignment will assign the ALZ Default Policy to management groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. +parLogAnalyticsWorkspaceResourceID | No | Log Analytics Workspace Resource ID. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. +parAutomationAccountName | No | Automation account name. +parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. +parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. +parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parLogAnalyticsWorkSpaceAndAutomationAccountLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The region where the Log Analytics Workspace & Automation Account are deployed. + +- Default value: `chinaeast2` + +### parLogAnalyticsWorkspaceResourceID + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parLogAnalyticsWorkspaceLogRetentionInDays + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Number of days of log retention for Log Analytics Workspace. + +- Default value: `365` + +### parAutomationAccountName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation account name. + +- Default value: `alz-automation-account` + +### parMsDefenderForCloudEmailSecurityContact + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. + +- Default value: `security_contact@replace_me.com` + +### parDdosProtectionPlanId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. + +### parDisableAlzDefaultPolicies + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Enforcement Mode of all default Policies assignments to Do Not Enforce. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceResourceID": { + "value": "" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parDisableAlzDefaultPolicies": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep new file mode 100644 index 00000000..41404cf7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep @@ -0,0 +1,724 @@ +metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' +metadata description = 'This policy assignment will assign the ALZ Default Policy to management groups' + +@sys.description('Prefix for the management group hierarchy.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.') +param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'chinaeast2' + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceID string = '' + +@sys.description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' + +@sys.description('Automation account name.') +param parAutomationAccountName string = 'alz-automation-account' + +@sys.description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' + +@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.') +param parDdosProtectionPlanId string = '' + +@sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') +param parDisableAlzDefaultPolicies bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceID, '/')[8] + +var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceID, '/')[4] + +// Customer Usage Attribution Id +var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' + +// **Variables** +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: 'ALZBicep' + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' +} + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootDeployMDFCConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployASCMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResourceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVMMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVMSSMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyIPForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnforceTLSSSL: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeploySQLDBAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeploySQLThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployPrivateDNSZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBPip: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBPip-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBSku: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBSku-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBVnet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) +} + +// Policy Assignments Modules Variables + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicIP = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +} + +var varPolicyAssignmentDenyRDPFromInternet = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLDBAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) +} +var varPolicyAssignmentDeploySQLThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) +} + +var varPolicyAssignmentDeployVMBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) +} + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRBACRoleDefinitionIDs = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' +} + +// Management Groups Variables - Used For Policy Assignments +var varManagementGroupIDs = { + intRoot: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + platform: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management${parTopLevelManagementGroupSuffix}' + platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity${parTopLevelManagementGroupSuffix}' + platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity${parTopLevelManagementGroupSuffix}' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp${parTopLevelManagementGroupSuffix}' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online${parTopLevelManagementGroupSuffix}' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' +} + +var varTopLevelManagementGroupResourceID = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIDs.intRoot}' + +// **Scope** +targetScope = 'managementGroup' + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +// Modules - Policy Assignments - Intermediate Root Management Group +// Module - Policy Assignment - Deploy-MDFC-Config +module modPolicyAssignmentIntRootDeployMDFCConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDFCConfig + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCConfig.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCConfig.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + emailSecurityContact: { + value: parMsDefenderForCloudEmailSecurityContact + } + ascExportResourceGroupLocation: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCConfig.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-ASC-Monitoring +module modPolicyAssignmentIntRootDeployASCMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + // dependsOn: [ + // modCustomPolicyDefinitions + // ] + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployASCMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-Resource-Diag +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitoring +module modPolicyAssignmentIntRootDeployVMMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-Monitoring +module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMSSMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Connectivity Management Group +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIDs.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Identity Management Group +// Module - Policy Assignment - Deny-Public-IP +module modPolicyAssignmentIdentDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIP + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-RDP-From-Internet +module modPolicyAssignmentIdentDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRDPFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRDPFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNSG + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentIdentDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVMBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Management Management Group +// Module - Policy Assignment - Deploy-Log-Analytics +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + rgName: { + value: varLogAnalyticsWorkspaceResourceGroupName + } + workspaceName: { + value: varLogAnalyticsWorkspaceName + } + workspaceRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + dataRetention: { + value: parLogAnalyticsWorkspaceLogRetentionInDays + } + automationAccountName: { + value: parAutomationAccountName + } + automationRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Landing Zones Management Group +// Module - Policy Assignment - Deny-IP-Forwarding +module modPolicyAssignmentLZsDenyIPForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyIPForwarding + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIPForwarding.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-RDP-From-Internet +module modPolicyAssignmentLZstDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyRDPFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRDPFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenySubnetWithoutNSG + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentLZsDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployVMBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentLZsEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnableDDoSVNET + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Storage-http +module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyStorageHttp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStoragehttp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AKS-Policy +module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.aksContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Escalation-AKS +module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivEscalationAKS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Containers-AKS +module modPolicyAssignmentLZsDenyPrivContainersAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivContainersAKS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-AKS-HTTPS +module modPolicyAssignmentLZsEnforceAKSHTTPS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceAKSHTTPS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAKSHTTPS.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-TLS-SSL +module modPolicyAssignmentLZsEnforceTLSSSL '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceTLSSSL + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTLSSSL.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-DB-Auditing +module modPolicyAssignmentLZsDeploySQLDBAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLDBAuditing + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLDBAuditing.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-Threat +module modPolicyAssignmentLZsDeploySQLThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLThreat + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLThreat.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Corp Management Group +// Module - Policy Assignment - Deny-Public-Endpoints +module modPolicyAssignmentLZsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicEndpoints + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicEndpoints.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png new file mode 100644 index 00000000..83520f85 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json new file mode 100644 index 00000000..d5b4e7ea --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-alz-hub-networking-001/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan" + }, + "parPrivateDnsResourceGroupId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-alz-hub-networking-001" + }, + "parPrivateDnsZonesNamesToAuditInCorp": { + "value": [] + }, + "parDisableAlzDefaultPolicies": { + "value": false + }, + "parVmBackupExclusionTagName": { + "value": "" + }, + "parVmBackupExclusionTagValue": { + "value": [] + }, + "parExcludedPolicyAssignments": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json new file mode 100644 index 00000000..515ac113 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md new file mode 100644 index 00000000..92036d22 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md @@ -0,0 +1,204 @@ +# ALZ Bicep - Management Group Policy Assignments + +Module used to assign policy definitions to management groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parPolicyAssignmentName | Yes | The name of the policy assignment. e.g. "Deny-Public-IP" +parPolicyAssignmentDisplayName | Yes | The display name of the policy assignment. e.g. "Deny the creation of Public IPs" +parPolicyAssignmentDescription | Yes | The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope." +parPolicyAssignmentDefinitionId | Yes | The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP" +parPolicyAssignmentParameters | No | An object containing the parameter values for the policy to be assigned. +parPolicyAssignmentParameterOverrides | No | An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. +parPolicyAssignmentNonComplianceMessages | No | An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. +parPolicyAssignmentNotScopes | No | An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. ['/providers/Microsoft.Management/managementgroups/alz', '/providers/Microsoft.Management/managementgroups/alz-sandbox' ]. +parPolicyAssignmentEnforcementMode | No | The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use. +parPolicyAssignmentOverrides | No | An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use. +parPolicyAssignmentResourceSelectors | No | An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use. +parPolicyAssignmentIdentityType | No | The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. +parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs | No | An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ]. +parPolicyAssignmentIdentityRoleAssignmentsSubs | No | An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ]. +parPolicyAssignmentIdentityRoleAssignmentsResourceGroups | No | An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ]. +parPolicyAssignmentIdentityRoleDefinitionIds | No | An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c']. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parPolicyAssignmentName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The name of the policy assignment. e.g. "Deny-Public-IP" + +### parPolicyAssignmentDisplayName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The display name of the policy assignment. e.g. "Deny the creation of Public IPs" + +### parPolicyAssignmentDescription + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope." + +### parPolicyAssignmentDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP" + +### parPolicyAssignmentParameters + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An object containing the parameter values for the policy to be assigned. + +### parPolicyAssignmentParameterOverrides + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. + +### parPolicyAssignmentNonComplianceMessages + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. + +### parPolicyAssignmentNotScopes + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. ['/providers/Microsoft.Management/managementgroups/alz', '/providers/Microsoft.Management/managementgroups/alz-sandbox' ]. + +### parPolicyAssignmentEnforcementMode + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use. + +- Default value: `Default` + +- Allowed values: `Default`, `DoNotEnforce` + +### parPolicyAssignmentOverrides + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use. + +### parPolicyAssignmentResourceSelectors + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use. + +### parPolicyAssignmentIdentityType + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. + +- Default value: `None` + +- Allowed values: `None`, `SystemAssigned` + +### parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ]. + +### parPolicyAssignmentIdentityRoleAssignmentsSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ]. + +### parPolicyAssignmentIdentityRoleAssignmentsResourceGroups + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ]. + +### parPolicyAssignmentIdentityRoleDefinitionIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c']. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.json" + }, + "parameters": { + "parPolicyAssignmentName": { + "value": "" + }, + "parPolicyAssignmentDisplayName": { + "value": "" + }, + "parPolicyAssignmentDescription": { + "value": "" + }, + "parPolicyAssignmentDefinitionId": { + "value": "" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentOverrides": { + "value": [] + }, + "parPolicyAssignmentResourceSelectors": { + "value": [] + }, + "parPolicyAssignmentIdentityType": { + "value": "None" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md new file mode 100644 index 00000000..23bd6f85 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md @@ -0,0 +1,44 @@ +# Policy Assignments Library + +This directory contains the default policy assignments we make as part of the Azure Landing Zones (aka. Enterprise-scale) in JSON files. These can then be used in variables with the bicep functions of: + +- [`json()`](https://docs.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-object#json) +- [`loadJsonContent()`](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-files#loadjsoncontent) + +For example: + +```bicep +var varPolicyAssignmentDenyPublicIp = loadJsonContent('infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +``` + +Or you can use the export available in `_policyAssignmentsBicepInput.txt` to copy and paste into a variable to then use to assign policies but manage their properties from the JSON files, like below: + +```bicep +targetScope = 'tenant' + +@description('The management group scope to which the policy assignments are to be created at. DEFAULT VALUE = "alz"') +param parTargetManagementGroupId string = 'alz' + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) + +var varPolicyAssignmentDenyPublicIp = { + name: 'Deny-Public-IP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: loadJsonContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +} + +module modPolicyAssignmentDenyPublicIP '../../policyAssignments/policyAssignmentManagementGroup.bicep' = { + name: 'PolicyAssignmentDenyPublicIP' + scope: managementGroup('alz') + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name + } +} +``` + +> You do not have to use this method, but it is provided to you for ease and is used in the orchestration templates. +> +> You may also extend the library and add your own assignment files in following the pattern shown in the examples above. diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt new file mode 100644 index 00000000..32fa0350 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt @@ -0,0 +1,150 @@ +var varPolicyAssignmentDenyAppGWWithoutWAF = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json') +} + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json') +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json') +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json') +} + +var varPolicyAssignmentDenyPublicIP = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +} + +var varPolicyAssignmentDenyRDPFromInternet = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json') +} + +var varPolicyAssignmentDenyResourceLocations = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json') +} + +var varPolicyAssignmentDenyResourceTypes = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json') +} + +var varPolicyAssignmentDenyRSGLocations = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json') +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json') +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json') +} + +var varPolicyAssignmentDenySubnetWithoutUdr = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json') +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json') +} + +var varPolicyAssignmentDeployLXArcMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') +} + +var varPolicyAssignmentDeployPrivateDNSZones = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json') +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') +} + +var varPolicyAssignmentDeploySQLDBAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json') +} + +var varPolicyAssignmentDeploySQLSecurity = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json') +} + +var varPolicyAssignmentDeploySQLThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json') +} + +var varPolicyAssignmentDeployVMBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json') +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployWSArcMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json') +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') +} + diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json new file mode 100644 index 00000000..9f1b873b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deny creation of App Gateway without WAF.", + "displayName": "Deny-AppGW-Without-WAF", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json new file mode 100644 index 00000000..bc0fa7bc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Enforce-AKS-HTTPS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should be accessible only over HTTPS", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json new file mode 100644 index 00000000..4cae9a5b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-IP-Forwarding", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "displayName": "Network interfaces should disable IP forwarding", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json new file mode 100644 index 00000000..439b716c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Containers-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes cluster should not allow privileged containers", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json new file mode 100644 index 00000000..5aeff9c9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Escalation-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should not allow container privilege escalation", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json new file mode 100644 index 00000000..5fc9b2e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-Endpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "displayName": "Public network access should be disabled for PaaS services", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json new file mode 100644 index 00000000..af5e2e66 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -0,0 +1,27 @@ +{ + "name": "Deny-Public-IP", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.Network/publicIPAddresses" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json new file mode 100644 index 00000000..22eb6547 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "displayName": "RDP access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json new file mode 100644 index 00000000..8987d21d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-Resource-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "chinanorth", + "chinaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json new file mode 100644 index 00000000..83077e3f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Resource-Types", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the Resource Types to deny deployment by policy.", + "displayName": "Deny-Resource-Types", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json new file mode 100644 index 00000000..85ce629b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-RSG-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", + "displayName": "Limit allowed locations for Resource Groups", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "chinanorth", + "chinaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json new file mode 100644 index 00000000..7b7666cc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Storage-http", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "displayName": "Secure transfer to storage accounts should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json new file mode 100644 index 00000000..f9dae08e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "displayName": "Subnets should have a Network Security Group", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json new file mode 100644 index 00000000..d0052345 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", + "displayName": "Subnets should have a User-Defined Route", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json new file mode 100644 index 00000000..ce3dadeb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-AKS-Policy", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json new file mode 100644 index 00000000..65e82db1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-ASC-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Monitoring in Microsoft Defender for Cloud.", + "displayName": "Enable Monitoring in Microsoft Defender for Cloud", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json new file mode 100644 index 00000000..c01d4dd4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -0,0 +1,43 @@ +{ + "name": "Deploy-Log-Analytics", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Log-Analytics.", + "displayName": "Deploy-Log-Analytics", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "workspaceName": { + "value": "${parTopLevelManagementGroupPrefix}-la" + }, + "automationAccountName": { + "value": "${parTopLevelManagementGroupPrefix}-automation" + }, + "workspaceRegion": { + "value": "${parDefaultRegion}" + }, + "automationRegion": { + "value": "${parDefaultRegion}" + }, + "dataRetention": { + "value": "30" + }, + "sku": { + "value": "pergb2018" + }, + "rgName": { + "value": "${parTopLevelManagementGroupPrefix}-mgmt" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json new file mode 100644 index 00000000..5694a3e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-LX-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Linux-Arc-Monitoring.", + "displayName": "Deploy-Linux-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json new file mode 100644 index 00000000..4e30db4c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -0,0 +1,40 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Cloud configuration and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "notScopes": [], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "law-alz" + }, + "ascExportResourceGroupName": { + "value": "asc-export-alz" + }, + "ascExportResourceGroupLocation": { + "value": "chinaeast2" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json new file mode 100644 index 00000000..20ad8969 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -0,0 +1,82 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "azureFilePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.afs.azure.net" + }, + "azureWebPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.webpubsub.azure.com" + }, + "azureBatchPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.${parDefaultRegion}.batch.azure.com" + }, + "azureAppPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azconfig.io" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}${parDefaultRegion}.privatelink.siterecovery.windowsazure.com" + }, + "azureIoTPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices-provisioning.net" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.vaultcore.azure.net" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.service.signalr.net" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azurewebsites.net" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.cognitiveservices.azure.com" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices.net" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.redis.cache.windows.net" + }, + "azureAcrPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azurecr.io" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.api.azureml.ms" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.search.windows.net" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json new file mode 100644 index 00000000..5ba31008 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Resource-Diag", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "displayName": "Deploy-Resource-Diag", + "notScopes": [], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json new file mode 100644 index 00000000..2ada6953 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-DB-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "displayName": "Auditing on SQL server should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "AuditIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json new file mode 100644 index 00000000..fb7ca3e4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-Security", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-SQL-Security.", + "displayName": "Deploy-SQL-Security", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json new file mode 100644 index 00000000..b290550f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-Threat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json new file mode 100644 index 00000000..fb2f2956 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Backup", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "notScopes": [], + "parameters": { + "effect": { + "value": "deployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json new file mode 100644 index 00000000..738007b0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json new file mode 100644 index 00000000..a6e14426 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VMSS-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json new file mode 100644 index 00000000..5ee6284d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-WS-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "displayName": "Deploy-Windows-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json new file mode 100644 index 00000000..631e9147 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Enable-DDoS-VNET", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard", + "notScopes": [], + "parameters": { + "effect": { + "value": "Modify" + }, + "ddosPlan": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/${parTopLevelManagementGroupPrefix}-ddos" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json new file mode 100644 index 00000000..96ff96fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-TLS-SSL", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json new file mode 100644 index 00000000..18e58bca --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Audit-AppGW-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Assign the WAF should be enabled for Application Gateway audit policy.", + "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "notScopes": [], + "parameters": { + "effect": { + "value": "Audit" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json new file mode 100644 index 00000000..b7b2c607 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json @@ -0,0 +1,89 @@ +{ + "name": "Audit-PeDnsZones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.", + "displayName": "Audit Private Link Private DNS Zone resources", + "notScopes": [], + "parameters": { + "privateLinkDnsZones": { + "value": [ + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "effect": { + "value": "Audit" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json new file mode 100644 index 00000000..a7403f5c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json @@ -0,0 +1,28 @@ +{ + "name": "Audit-UnusedResources", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost.", + "displayName": "Unused resources driving cost should be avoided", + "notScopes": [], + "parameters": { + "EffectDisks": { + "value": "Audit" + }, + "EffectPublicIpAddresses": { + "value": "Audit" + }, + "EffectServerFarms": { + "value": "Audit" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json new file mode 100644 index 00000000..9f1b873b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deny creation of App Gateway without WAF.", + "displayName": "Deny-AppGW-Without-WAF", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json new file mode 100644 index 00000000..34d0de81 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json @@ -0,0 +1,83 @@ +{ + "name": "Deny-Classic-Resources", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Denies deployment of classic resource types under the assigned scope.", + "displayName": "Deny the deployment of classic resources", + "notScopes": [], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.ClassicCompute/capabilities", + "Microsoft.ClassicCompute/checkDomainNameAvailability", + "Microsoft.ClassicCompute/domainNames", + "Microsoft.ClassicCompute/domainNames/capabilities", + "Microsoft.ClassicCompute/domainNames/internalLoadBalancers", + "Microsoft.ClassicCompute/domainNames/serviceCertificates", + "Microsoft.ClassicCompute/domainNames/slots", + "Microsoft.ClassicCompute/domainNames/slots/roles", + "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions", + "Microsoft.ClassicCompute/domainNames/slots/roles/metrics", + "Microsoft.ClassicCompute/moveSubscriptionResources", + "Microsoft.ClassicCompute/operatingSystemFamilies", + "Microsoft.ClassicCompute/operatingSystems", + "Microsoft.ClassicCompute/operations", + "Microsoft.ClassicCompute/operationStatuses", + "Microsoft.ClassicCompute/quotas", + "Microsoft.ClassicCompute/resourceTypes", + "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability", + "Microsoft.ClassicCompute/virtualMachines", + "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings", + "Microsoft.ClassicCompute/virtualMachines/metricDefinitions", + "Microsoft.ClassicCompute/virtualMachines/metrics", + "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources", + "Microsoft.ClassicNetwork/capabilities", + "Microsoft.ClassicNetwork/expressRouteCrossConnections", + "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings", + "Microsoft.ClassicNetwork/gatewaySupportedDevices", + "Microsoft.ClassicNetwork/networkSecurityGroups", + "Microsoft.ClassicNetwork/operations", + "Microsoft.ClassicNetwork/quotas", + "Microsoft.ClassicNetwork/reservedIps", + "Microsoft.ClassicNetwork/virtualNetworks", + "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies", + "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings", + "Microsoft.ClassicStorage/capabilities", + "Microsoft.ClassicStorage/checkStorageAccountAvailability", + "Microsoft.ClassicStorage/disks", + "Microsoft.ClassicStorage/images", + "Microsoft.ClassicStorage/operations", + "Microsoft.ClassicStorage/osImages", + "Microsoft.ClassicStorage/osPlatformImages", + "Microsoft.ClassicStorage/publicImages", + "Microsoft.ClassicStorage/quotas", + "Microsoft.ClassicStorage/storageAccounts", + "Microsoft.ClassicStorage/storageAccounts/blobServices", + "Microsoft.ClassicStorage/storageAccounts/fileServices", + "Microsoft.ClassicStorage/storageAccounts/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/metrics", + "Microsoft.ClassicStorage/storageAccounts/queueServices", + "Microsoft.ClassicStorage/storageAccounts/services", + "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings", + "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/services/metrics", + "Microsoft.ClassicStorage/storageAccounts/tableServices", + "Microsoft.ClassicStorage/storageAccounts/vmImages", + "Microsoft.ClassicStorage/vmImages", + "Microsoft.ClassicSubscription/operations" + ] + }, + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json new file mode 100644 index 00000000..220c4ef3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Pip", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "displayName": "Prevent usage of Databricks with public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json new file mode 100644 index 00000000..47c94a04 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Sku", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "displayName": "Enforces the use of Premium Databricks workspaces", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json new file mode 100644 index 00000000..0b531c95 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Vnet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "displayName": "Enforces the use of vnet injection for Databricks", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json new file mode 100644 index 00000000..bc0fa7bc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Enforce-AKS-HTTPS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should be accessible only over HTTPS", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json new file mode 100644 index 00000000..da636ae7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json @@ -0,0 +1,34 @@ +{ + "name": "Deny-HybridNetworking", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.", + "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources", + "notScopes": [], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "microsoft.network/expressroutecircuits", + "microsoft.network/expressroutegateways", + "microsoft.network/expressrouteports", + "microsoft.network/virtualwans", + "microsoft.network/vpngateways", + "microsoft.network/p2svpngateways", + "microsoft.network/vpnsites", + "microsoft.network/virtualnetworkgateways" + ] + }, + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json new file mode 100644 index 00000000..4cae9a5b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-IP-Forwarding", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "displayName": "Network interfaces should disable IP forwarding", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json new file mode 100644 index 00000000..148623cd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-MgmtPorts-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows management port access from the Internet", + "displayName": "Management port access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json new file mode 100644 index 00000000..439b716c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Containers-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes cluster should not allow privileged containers", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json new file mode 100644 index 00000000..5aeff9c9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Escalation-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should not allow container privilege escalation", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json new file mode 100644 index 00000000..5fc9b2e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-Endpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "displayName": "Public network access should be disabled for PaaS services", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json new file mode 100644 index 00000000..af5e2e66 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -0,0 +1,27 @@ +{ + "name": "Deny-Public-IP", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.Network/publicIPAddresses" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json new file mode 100644 index 00000000..0bc87033 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-IP-On-NIC", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", + "displayName": "Deny network interfaces having a public IP associated", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json new file mode 100644 index 00000000..22eb6547 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "displayName": "RDP access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json new file mode 100644 index 00000000..ce36f684 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-Resource-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "uksouth", + "ukwest" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json new file mode 100644 index 00000000..83077e3f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Resource-Types", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the Resource Types to deny deployment by policy.", + "displayName": "Deny-Resource-Types", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json new file mode 100644 index 00000000..bf27cdbb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-RSG-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", + "displayName": "Limit allowed locations for Resource Groups", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "uksouth", + "ukwest" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json new file mode 100644 index 00000000..7b7666cc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Storage-http", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "displayName": "Secure transfer to storage accounts should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json new file mode 100644 index 00000000..f9dae08e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "displayName": "Subnets should have a Network Security Group", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json new file mode 100644 index 00000000..d0052345 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", + "displayName": "Subnets should have a User-Defined Route", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json new file mode 100644 index 00000000..3a14cf90 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json @@ -0,0 +1,24 @@ +{ + "name": "Deny-UnmanagedDisk", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "properties": { + "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", + "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "scope": null, + "enforcementMode": "Default", + "overrides": [ + { + "kind": "policyEffect", + "value": "Deny" + } + ] + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json new file mode 100644 index 00000000..ce3dadeb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-AKS-Policy", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json new file mode 100644 index 00000000..65e82db1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-ASC-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Monitoring in Microsoft Defender for Cloud.", + "displayName": "Enable Monitoring in Microsoft Defender for Cloud", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json new file mode 100644 index 00000000..31c87439 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-AzActivity-Log", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", + "displayName": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json new file mode 100644 index 00000000..e2c9c5ee --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-AzSqlDb-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.", + "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalyticsWorkspaceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json new file mode 100644 index 00000000..b10cfbe9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -0,0 +1,43 @@ +{ + "name": "Deploy-Log-Analytics", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Log-Analytics.", + "displayName": "Deploy-Log-Analytics", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "workspaceName": { + "value": "${parTopLevelManagementGroupPrefix}-la" + }, + "automationAccountName": { + "value": "${parTopLevelManagementGroupPrefix}-automation" + }, + "workspaceRegion": { + "value": "${parDefaultRegion}" + }, + "automationRegion": { + "value": "${parDefaultRegion}" + }, + "dataRetention": { + "value": "30" + }, + "sku": { + "value": "pergb2018" + }, + "rgName": { + "value": "${parTopLevelManagementGroupPrefix}-mgmt" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "scope": null, + "enforcementMode": "DoNotEnforce" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json new file mode 100644 index 00000000..5694a3e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-LX-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Linux-Arc-Monitoring.", + "displayName": "Deploy-Linux-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json new file mode 100644 index 00000000..a26342b2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json @@ -0,0 +1,31 @@ +{ + "name": "Deploy-MDEndpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", + "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent", + "notScopes": [], + "parameters": { + "microsoftDefenderForEndpointWindowsVmAgentDeployEffect": { + "value": "DeployIfNotExists" + }, + "microsoftDefenderForEndpointLinuxVmAgentDeployEffect": { + "value": "DeployIfNotExists" + }, + "microsoftDefenderForEndpointWindowsArcAgentDeployEffect": { + "value": "DeployIfNotExists" + }, + "microsoftDefenderForEndpointLinuxArcAgentDeployEffect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json new file mode 100644 index 00000000..8ad348a1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -0,0 +1,76 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Cloud configuration and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "notScopes": [], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "law-alz" + }, + "ascExportResourceGroupName": { + "value": "asc-export-alz" + }, + "ascExportResourceGroupLocation": { + "value": "northeurope" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForServersVulnerabilityAssessments": { + "value": "DeployIfNotExists" + }, + "vulnerabilityAssessmentProvider": { + "value": "default" + }, + "enableAscForSql": { + "value": "DeployIfNotExists" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "DeployIfNotExists" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "DeployIfNotExists" + }, + "enableAscForCosmosDbs": { + "value": "DeployIfNotExists" + }, + "enableAscForApis": { + "value": "DeployIfNotExists" + }, + "enableAscForCspm": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json new file mode 100644 index 00000000..75df01f2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-MDFC-OssDb", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", + "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json new file mode 100644 index 00000000..7672cf86 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-MDFC-SqlAtp", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", + "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json new file mode 100644 index 00000000..930f9b48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -0,0 +1,178 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "effect1": { + "value": "deployIfNotExists" + }, + "azureFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureFilePrivateDnsZoneId]" + }, + "azureAutomationWebhookPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationWebhookPrivateDnsZoneId]" + }, + "azureAutomationDSCHybridPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationDSCHybridPrivateDnsZoneId]" + }, + "azureCosmosSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosSQLPrivateDnsZoneId]" + }, + "azureCosmosMongoPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosMongoPrivateDnsZoneId]" + }, + "azureCosmosCassandraPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosCassandraPrivateDnsZoneId]" + }, + "azureCosmosGremlinPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosGremlinPrivateDnsZoneId]" + }, + "azureCosmosTablePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId]" + }, + "azureDataFactoryPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPrivateDnsZoneId]" + }, + "azureDataFactoryPortalPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]" + }, + "azureHDInsightPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]" + }, + "azureMigratePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMigratePrivateDnsZoneId]" + }, + "azureStorageBlobPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobPrivateDnsZoneId]" + }, + "azureStorageBlobSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobSecPrivateDnsZoneId]" + }, + "azureStorageQueuePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueuePrivateDnsZoneId]" + }, + "azureStorageQueueSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueueSecPrivateDnsZoneId]" + }, + "azureStorageFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageFilePrivateDnsZoneId]" + }, + "azureStorageStaticWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebPrivateDnsZoneId]" + }, + "azureStorageStaticWebSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebSecPrivateDnsZoneId]" + }, + "azureStorageDFSPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSPrivateDnsZoneId]" + }, + "azureStorageDFSSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSSecPrivateDnsZoneId]" + }, + "azureSynapseSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLPrivateDnsZoneId]" + }, + "azureSynapseSQLODPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLODPrivateDnsZoneId]" + }, + "azureSynapseDevPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseDevPrivateDnsZoneId]" + }, + "azureMediaServicesKeyPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesKeyPrivateDnsZoneId]" + }, + "azureMediaServicesLivePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesLivePrivateDnsZoneId]" + }, + "azureMediaServicesStreamPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesStreamPrivateDnsZoneId]" + }, + "azureMonitorPrivateDnsZoneId1": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId1]" + }, + "azureMonitorPrivateDnsZoneId2": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId2]" + }, + "azureMonitorPrivateDnsZoneId3": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId3]" + }, + "azureMonitorPrivateDnsZoneId4": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId4]" + }, + "azureMonitorPrivateDnsZoneId5": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId5]" + }, + "azureWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureWebPrivateDnsZoneId]" + }, + "azureBatchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureBatchPrivateDnsZoneId]" + }, + "azureAppPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId]" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAsrPrivateDnsZoneId]" + }, + "azureIotPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotPrivateDnsZoneId]" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId]" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSignalRPrivateDnsZoneId]" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppServicesPrivateDnsZoneId]" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridTopicsPrivateDnsZoneId]" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDiskAccessPrivateDnsZoneId]" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveServicesPrivateDnsZoneId]" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotHubsPrivateDnsZoneId]" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridDomainsPrivateDnsZoneId]" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureRedisCachePrivateDnsZoneId]" + }, + "azureAcrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId]" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventHubNamespacePrivateDnsZoneId]" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId]" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId]" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveSearchPrivateDnsZoneId]" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json new file mode 100644 index 00000000..5ba31008 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Resource-Diag", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "displayName": "Deploy-Resource-Diag", + "notScopes": [], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json new file mode 100644 index 00000000..2ada6953 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-DB-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "displayName": "Auditing on SQL server should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "AuditIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json new file mode 100644 index 00000000..fb7ca3e4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-Security", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-SQL-Security.", + "displayName": "Deploy-SQL-Security", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json new file mode 100644 index 00000000..fdf235a5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-TDE", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", + "displayName": "Deploy TDE on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json new file mode 100644 index 00000000..b290550f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-Threat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json new file mode 100644 index 00000000..fb2f2956 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Backup", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "notScopes": [], + "parameters": { + "effect": { + "value": "deployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json new file mode 100644 index 00000000..738007b0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json new file mode 100644 index 00000000..a6e14426 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VMSS-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json new file mode 100644 index 00000000..5ee6284d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-WS-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "displayName": "Deploy-Windows-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json new file mode 100644 index 00000000..631e9147 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Enable-DDoS-VNET", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard", + "notScopes": [], + "parameters": { + "effect": { + "value": "Modify" + }, + "ddosPlan": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/${parTopLevelManagementGroupPrefix}-ddos" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json new file mode 100644 index 00000000..1143ba51 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-ACSB", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.", + "displayName": "Enforce Azure Compute Security Baseline compliance auditing", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json new file mode 100644 index 00000000..af4b8879 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json @@ -0,0 +1,35 @@ +{ + "name": "Enforce-ALZ-Decomm", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Decommissioned Guardrails", + "notScopes": [], + "parameters": { + "listOfResourceTypesAllowed": { + "value": [ + "microsoft.consumption/tags", + "microsoft.authorization/roleassignments", + "microsoft.authorization/roledefinitions", + "microsoft.authorization/policyassignments", + "microsoft.authorization/locks", + "microsoft.authorization/policydefinitions", + "microsoft.authorization/policysetdefinitions", + "microsoft.resources/tags", + "microsoft.authorization/roleeligibilityschedules", + "microsoft.authorization/roleeligibilityscheduleinstances", + "microsoft.authorization/roleassignmentschedules", + "microsoft.authorization/roleassignmentscheduleinstances" + ] + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json new file mode 100644 index 00000000..906a9f88 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json @@ -0,0 +1,29 @@ +{ + "name": "Enforce-ALZ-Sandbox", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Sandbox Guardrails", + "notScopes": [], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "microsoft.network/expressroutecircuits", + "microsoft.network/expressroutegateways", + "microsoft.network/virtualwans", + "microsoft.network/virtualhubs", + "microsoft.network/vpngateways", + "microsoft.network/vpnsites" + ] + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json new file mode 100644 index 00000000..6017ba4a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-GR-KeyVault", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.", + "displayName": "Enforce recommended guardrails for Azure Key Vault", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json new file mode 100644 index 00000000..96ff96fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-TLS-SSL", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png new file mode 100644 index 00000000..a2c3d584 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json new file mode 100644 index 00000000..148103cb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-ASCDF-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-log-analytics" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentIdentityType": { + "value": "SystemAssigned" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [ + "alz-platform" + ] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [ + "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json new file mode 100644 index 00000000..9a4f27e2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-ASCDF-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-log-analytics" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json new file mode 100644 index 00000000..a6dc700d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deny-PublicIP" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deny the creation of public IP" + }, + "parPolicyAssignmentDescription": { + "value": "This policy denies creation of Public IPs under the assigned scope." + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentIdentityType": { + "value": "None" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json new file mode 100644 index 00000000..6025094e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deny-PublicIP" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deny the creation of public IP" + }, + "parPolicyAssignmentDescription": { + "value": "This policy denies creation of Public IPs under the assigned scope." + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json new file mode 100644 index 00000000..314325ac --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json @@ -0,0 +1,98 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-MDFC-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud configuration and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-la" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentIdentityType": { + "value": "SystemAssigned" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [ + "alz-platform" + ] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [ + "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json new file mode 100644 index 00000000..fc8572a5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-MDFC-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud configuration and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-la" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep new file mode 100644 index 00000000..c91359a3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -0,0 +1,137 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Management Group Policy Assignments' +metadata description = 'Module used to assign policy definitions to management groups' + +@minLength(1) +@maxLength(24) +@sys.description('The name of the policy assignment. e.g. "Deny-Public-IP"') +param parPolicyAssignmentName string + +@sys.description('The display name of the policy assignment. e.g. "Deny the creation of Public IPs"') +param parPolicyAssignmentDisplayName string + +@sys.description('The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope."') +param parPolicyAssignmentDescription string + +@sys.description('The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP"') +param parPolicyAssignmentDefinitionId string + +@sys.description('An object containing the parameter values for the policy to be assigned.') +param parPolicyAssignmentParameters object = {} + +@sys.description('An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win.') +param parPolicyAssignmentParameterOverrides object = {} + +@sys.description('An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use.') +param parPolicyAssignmentNonComplianceMessages array = [] + +@sys.description('An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. [\'/providers/Microsoft.Management/managementgroups/alz\', \'/providers/Microsoft.Management/managementgroups/alz-sandbox\' ].') +param parPolicyAssignmentNotScopes array = [] + +@allowed([ + 'Default' + 'DoNotEnforce' +]) +@sys.description('The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use.') +param parPolicyAssignmentEnforcementMode string = 'Default' + +@sys.description('An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use.') +param parPolicyAssignmentOverrides array = [] + +@sys.description('An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use.') +param parPolicyAssignmentResourceSelectors array = [] + +@allowed([ + 'None' + 'SystemAssigned' +]) +@sys.description('The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects.') +param parPolicyAssignmentIdentityType string = 'None' + +@sys.description('An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. [\'alz\', \'alz-sandbox\' ].') +param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs array = [] + +@sys.description('An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d\' ].') +param parPolicyAssignmentIdentityRoleAssignmentsSubs array = [] + +@sys.description('An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02\' ].') +param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups array = [] + +@sys.description('An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. [\'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\'].') +param parPolicyAssignmentIdentityRoleDefinitionIds array = [] + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varPolicyAssignmentParametersMerged = union(parPolicyAssignmentParameters, parPolicyAssignmentParameterOverrides) + +var varPolicyIdentity = parPolicyAssignmentIdentityType == 'SystemAssigned' ? 'SystemAssigned' : 'None' + +var varPolicyAssignmentIdentityRoleAssignmentsMgsConverged = parPolicyAssignmentIdentityType == 'SystemAssigned' ? union(parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs, (array(managementGroup().name))) : [] + +// Customer Usage Attribution Id +var varCuaid = '78001e36-9738-429c-a343-45cc84e8a527' + +resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { + name: parPolicyAssignmentName + properties: { + displayName: parPolicyAssignmentDisplayName + description: parPolicyAssignmentDescription + policyDefinitionId: parPolicyAssignmentDefinitionId + parameters: varPolicyAssignmentParametersMerged + nonComplianceMessages: parPolicyAssignmentNonComplianceMessages + notScopes: parPolicyAssignmentNotScopes + enforcementMode: parPolicyAssignmentEnforcementMode + overrides: parPolicyAssignmentOverrides + resourceSelectors: parPolicyAssignmentResourceSelectors + } + identity: { + type: varPolicyIdentity + } + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + location: deployment().location +} + +// Handle Managed Identity RBAC Assignments to Management Group scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. +module modPolicyIdentityRoleAssignmentMgsMany '../../roleAssignments/roleAssignmentManagementGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds)) { + name: 'rbac-assign-mg-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' + params: { + parManagementGroupIds: varPolicyAssignmentIdentityRoleAssignmentsMgsConverged + parAssigneeObjectId: resPolicyAssignment.identity.principalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: roles + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Handle Managed Identity RBAC Assignments to Subscription scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. +module modPolicyIdentityRoleAssignmentSubsMany '../../roleAssignments/roleAssignmentSubscriptionMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds) && !empty(parPolicyAssignmentIdentityRoleAssignmentsSubs)) { + name: 'rbac-assign-sub-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' + params: { + parSubscriptionIds: parPolicyAssignmentIdentityRoleAssignmentsSubs + parAssigneeObjectId: resPolicyAssignment.identity.principalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: roles + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Handle Managed Identity RBAC Assignments to Resource Group scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. +module modPolicyIdentityRoleAssignmentResourceGroupMany '../../roleAssignments/roleAssignmentResourceGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds) && !empty(parPolicyAssignmentIdentityRoleAssignmentsResourceGroups)) { + name: 'rbac-assign-rg-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' + params: { + parResourceGroupIds: parPolicyAssignmentIdentityRoleAssignmentsResourceGroups + parAssigneeObjectId: resPolicyAssignment.identity.principalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: roles + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location, parPolicyAssignmentName)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/README.md b/dependencies/infra-as-code/bicep/modules/policy/definitions/README.md new file mode 100644 index 00000000..9c5dc0d6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/README.md @@ -0,0 +1,101 @@ +# Module: Custom Policy Definitions + +This module deploys the custom Azure Policy Definitions & Initiatives supplied by the Azure Landing Zones conceptual architecture and reference implementation defined [here](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture) to the specified Management Group. + +For a list of the custom policy definitions that are deployed, please see the below links: + +- [Policies included in Enterprise-Scale Landing Zones reference implementations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) +- [Enterprise Scale - What's New?](https://github.com/Azure/Enterprise-Scale/wiki/Whats-new) + +If you wish to add your own additional custom Azure Policy Definitions please review [How Does ALZ-Bicep Implement Azure Policies?](https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive) and more specifically [Assigning Azure Policies](https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies) + +> Once you have deployed this module to add all of the custom ALZ Azure Policy Definitions & Initiatives you will need to assign the modules to the relevant Management Groups as per your requirements using the [Policy Assignments module](../assignments/README.md).

+> If you want to make all of the default Azure Policy Assignments that we recommend in the Azure Landing Zones conceptual architecture and reference implementation you can use the [ALZ Default Policy Assignments module](../assignments/alzDefaults/README.md) to do this for you👍 + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/customPolicyDefinitions.bicep.md) +- [Parameters for Azure China Cloud](generateddocs/mc-customPolicyDefinitions.bicep.md) + +## Outputs + +The module does not generate any outputs. + +## Deployment + +There are two different sets of deployment; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to minor difference in services which are available in Azure global and in Azure China, but the feature parity gap is narrowing. As a result, there are no policy definitions for services which are not available in Azure China. Some policy definitions are not built-in in Azure China, hence those policies are defined as custom policy definitions. More details are available [here](https://github.com/Azure/Enterprise-Scale/pull/802). + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ---------------------------------- | ------------------------------------------------- | + | Global regions | customPolicyDefinitions.bicep | parameters/customPolicyDefinitions.parameters.all.json | + | China regions | mc-customPolicyDefinitions.bicep | parameters/customPolicyDefinitions.parameters.all.json | + +In this example, the custom policy definitions and policy set definitions will be deployed to the `alz` management group (the intermediate root management group). + +The input parameter file `parameters/customPolicyDefinitions.parameters.all.json` defines the target management group to which the custom policy definitions will be deployed to. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. +> If the deployment provisioning state has failed due to policy definitions could not be found, this is often due to a known replication delay. Please re-run the deployment step below, and the deployment should succeed. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDefsDefaults-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDefsDefaults-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json' +} +New-AzManagementGroupDeployment @inputObject +``` + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep new file mode 100644 index 00000000..038513e8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -0,0 +1,1954 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Policy Defitions at Management Group Scope' +metadata description = 'This policy definition is used to deploy custom policy definitions at management group scope' + +@sys.description('The management group scope to which the policy definitions are to be created at.') +param parTargetManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) + +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicyDefinitionsArray = [ + { + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') + } + { + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') + } + { + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') + } + { + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') + } + { + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') + } + { + name: 'Audit-AzureHybridBenefit' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json') + } + { + name: 'Audit-Disks-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-MachineLearning-PrivateEndpointId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') + } + { + name: 'Audit-PrivateLinkDnsZones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json') + } + { + name: 'Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-ServerFarms-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json') + } + { + name: 'Deny-AA-child-resources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') + } + { + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') + } + { + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') + } + { + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') + } + { + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') + } + { + name: 'Deny-Databricks-NoPublicIp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') + } + { + name: 'Deny-Databricks-Sku' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') + } + { + name: 'Deny-Databricks-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') + } + { + name: 'Deny-FileServices-InsecureAuth' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') + } + { + name: 'Deny-FileServices-InsecureKerberos' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json') + } + { + name: 'Deny-FileServices-InsecureSmbChannel' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json') + } + { + name: 'Deny-FileServices-InsecureSmbVersions' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') + } + { + name: 'Deny-MachineLearning-Aks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') + } + { + name: 'Deny-MachineLearning-Compute-SubnetId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') + } + { + name: 'Deny-MachineLearning-Compute-VmSize' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-Scale' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') + } + { + name: 'Deny-MachineLearning-HbiWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') + } + { + name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') + } + { + name: 'Deny-MachineLearning-PublicNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') + } + { + name: 'Deny-MgmtPorts-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json') + } + { + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') + } + { + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') + } + { + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') + } + { + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') + } + { + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') + } + { + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') + } + { + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') + } + { + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') + } + { + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') + } + { + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') + } + { + name: 'Deny-Storage-SFTP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') + } + { + name: 'Deny-StorageAccount-CustomDomain' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json') + } + { + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') + } + { + name: 'Deny-Subnet-Without-Penp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json') + } + { + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') + } + { + name: 'Deny-UDR-With-Specific-NextHop' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json') + } + { + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') + } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') + } + { + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') + } + { + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') + } + { + name: 'Deploy-Budget' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') + } + { + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') + } + { + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') + } + { + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') + } + { + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') + } + { + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') + } + { + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') + } + { + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') + } + { + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') + } + { + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') + } + { + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') + } + { + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') + } + { + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') + } + { + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') + } + { + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') + } + { + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') + } + { + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') + } + { + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') + } + { + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') + } + { + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') + } + { + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') + } + { + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') + } + { + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') + } + { + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') + } + { + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') + } + { + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') + } + { + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') + } + { + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json') + } + { + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') + } + { + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') + } + { + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') + } + { + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') + } + { + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') + } + { + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') + } + { + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') + } + { + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') + } + { + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') + } + { + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') + } + { + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') + } + { + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') + } + { + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') + } + { + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') + } + { + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') + } + { + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') + } + { + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') + } + { + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') + } + { + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') + } + { + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') + } + { + name: 'Deploy-Diagnostics-VWanS2SVPNGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json') + } + { + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') + } + { + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') + } + { + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') + } + { + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') + } + { + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') + } + { + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') + } + { + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') + } + { + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') + } + { + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') + } + { + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') + } + { + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') + } + { + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') + } + { + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') + } + { + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments_20230706' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') + } + { + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') + } + { + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') + } + { + name: 'Deploy-Vm-autoShutdown' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json') + } + { + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') + } + { + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') + } +] + +// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Audit-UnusedResourcesCostOptimization' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AuditAzureHybridBenefitUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditAzureHybridBenefitUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditDisksUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditDisksUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditPublicIpAddressesUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditPublicIpAddressesUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditServerFarmsUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditServerFarmsUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApiManDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ApiManDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppConfigDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AppConfigDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AsDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AsDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AseDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AseDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AutomationDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BotServiceDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BotServiceDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.FunctionDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDbDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MariaDbDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MlDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.RedisCacheDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azurePolicyForKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.azurePolicyForKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForApis' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForApis.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForAppServices.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCosmosDbs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCosmosDbs.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCspm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCspm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForKeyVaults.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForOssDb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlServerVirtualMachines.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForStorageAccounts' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccounts.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVMVulnerabilityAssessment' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVMVulnerabilityAssessment.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-DSCHybrid' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-DSCHybrid'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-Webhook' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-Webhook'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Cassandra' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Cassandra'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Gremlin' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Gremlin'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-MongoDB' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-MongoDB'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Table' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory-Portal' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory-Portal'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-HDInsight' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-HDInsight'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Live' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Live'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Stream' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Stream'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Migrate' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Migrate'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Monitor' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Monitor'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-File' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-File'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-Dev' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-Dev'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL-OnDemand' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL-OnDemand'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ACSB' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'GcIdentity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcIdentity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'GcLinux' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcLinux.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'GcWindows' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcWindows.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LinAcsb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.LinAcsb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WinAcsb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.WinAcsb.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ALZ-Decomm' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DecomDenyResources' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c' + definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomDenyResources.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DecomShutdownMachines' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown' + definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomShutdownMachines.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ALZ-Sandbox' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SandboxDenyVnetPeering' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub' + definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxDenyVnetPeering.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SandboxNotAllowed' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxNotAllowed.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-KeyVault' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'KvCertLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvCertLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvFirewallEnabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvFirewallEnabled.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvPurgeProtection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvPurgeProtection.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSoftDelete.parameters + definitionGroups: [] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json') + +var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsDeployPrivateDNSZonesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsDeploySqlSecurityParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsEnforceACSBParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json') + +var varPolicySetDefinitionEsEnforceALZDecommParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json') + +var varPolicySetDefinitionEsEnforceALZSandboxParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json') + +var varPolicySetDefinitionEsEnforceEncryptionCMKParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsEnforceEncryptTransitParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json') + +// Customer Usage Attribution Id +var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' + +resource resPolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2021-06-01' = [for policy in varCustomPolicyDefinitionsArray: { + name: policy.libDefinition.name + properties: { + description: policy.libDefinition.properties.description + displayName: policy.libDefinition.properties.displayName + metadata: policy.libDefinition.properties.metadata + mode: policy.libDefinition.properties.mode + parameters: policy.libDefinition.properties.parameters + policyType: policy.libDefinition.properties.policyType + policyRule: policy.libDefinition.properties.policyRule + } +}] + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + dependsOn: [ + resPolicyDefinitions // Must wait for policy definitons to be deployed before starting the creation of Policy Set/Initiative Defininitions + ] + name: policySet.libSetDefinition.name + properties: { + description: policySet.libSetDefinition.properties.description + displayName: policySet.libSetDefinition.properties.displayName + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md new file mode 100644 index 00000000..ba760b2b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md @@ -0,0 +1,48 @@ +# ALZ Bicep - Custom Policy Defitions at Management Group Scope + +This policy definition is used to deploy custom policy definitions at management group scope + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTargetManagementGroupId | No | The management group scope to which the policy definitions are to be created at. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTargetManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the policy definitions are to be created at. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.json" + }, + "parameters": { + "parTargetManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md new file mode 100644 index 00000000..5cbc7f96 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md @@ -0,0 +1,48 @@ +# ALZ Bicep - Custom Policy Defitions at Management Group Scope + +This policy definition is used to deploy custom policy definitions at management group scope + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTargetManagementGroupId | No | The management group scope to which the policy definitions are to be created at. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTargetManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the policy definitions are to be created at. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.json" + }, + "parameters": { + "parTargetManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt new file mode 100644 index 00000000..0ae54fdf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt @@ -0,0 +1,400 @@ +{ + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json') +} +{ + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json') +} +{ + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json') +} +{ + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json') +} +{ + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json') +} +{ + name: 'Deny-AFSPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json') +} +{ + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json') +} +{ + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json') +} +{ + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json') +} +{ + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json') +} +{ + name: 'Deny-KeyVaultPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json') +} +{ + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json') +} +{ + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json') +} +{ + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json') +} +{ + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json') +} +{ + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json') +} +{ + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json') +} +{ + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json') +} +{ + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json') +} +{ + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json') +} +{ + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json') +} +{ + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json') +} +{ + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json') +} +{ + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json') +} +{ + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json') +} +{ + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json') +} +{ + name: 'Deploy-ActivityLogs-to-LA-workspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json') +} +{ + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json') +} +{ + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json') +} +{ + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json') +} +{ + name: 'Deploy-Default-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json') +} +{ + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json') +} +{ + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json') +} +{ + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json') +} +{ + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json') +} +{ + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json') +} +{ + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json') +} +{ + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json') +} +{ + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json') +} +{ + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json') +} +{ + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json') +} +{ + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json') +} +{ + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json') +} +{ + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json') +} +{ + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json') +} +{ + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json') +} +{ + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json') +} +{ + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json') +} +{ + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json') +} +{ + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json') +} +{ + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json') +} +{ + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json') +} +{ + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json') +} +{ + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json') +} +{ + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json') +} +{ + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json') +} +{ + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json') +} +{ + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json') +} +{ + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json') +} +{ + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json') +} +{ + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json') +} +{ + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json') +} +{ + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json') +} +{ + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json') +} +{ + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json') +} +{ + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json') +} +{ + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json') +} +{ + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json') +} +{ + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json') +} +{ + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json') +} +{ + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json') +} +{ + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json') +} +{ + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json') +} +{ + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json') +} +{ + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json') +} +{ + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json') +} +{ + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json') +} +{ + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json') +} +{ + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json') +} +{ + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json') +} +{ + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json') +} +{ + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json') +} +{ + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json') +} +{ + name: 'Deploy-MySQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json') +} +{ + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json') +} +{ + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json') +} +{ + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json') +} +{ + name: 'Deploy-PostgreSQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json') +} +{ + name: 'Deploy-Private-DNS-Azure-File-Sync' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json') +} +{ + name: 'Deploy-Private-DNS-Azure-KeyVault' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json') +} +{ + name: 'Deploy-Private-DNS-Azure-Web' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json') +} +{ + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json') +} +{ + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json') +} +{ + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json') +} +{ + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json') +} +{ + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json') +} +{ + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json') +} +{ + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json') +} +{ + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json') +} +{ + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json') +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json new file mode 100644 index 00000000..a8c1cb18 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json @@ -0,0 +1,59 @@ +{ + "name": "Append-AppService-httpsonly", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append enable https only setting to enforce https setting.", + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "notequals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json new file mode 100644 index 00000000..45e239af --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json @@ -0,0 +1,72 @@ +{ + "name": "Append-AppService-latestTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append sites with minimum TLS version to enforce.", + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Select version minimum TLS Web App config", + "description": "Select version minimum TLS version for a Web App config to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites/config" + }, + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "notEquals": "[parameters('minTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "value": "[parameters('minTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json new file mode 100644 index 00000000..9c3410d8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json @@ -0,0 +1,50 @@ +{ + "name": "Append-KV-SoftDelete", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "KeyVault SoftDelete should be enabled", + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "append", + "details": [ + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json new file mode 100644 index 00000000..024fbbd3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json @@ -0,0 +1,64 @@ +{ + "name": "Append-Redis-disableNonSslPort", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled", + "Modify" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "value": false + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json new file mode 100644 index 00000000..81742638 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json @@ -0,0 +1,76 @@ +{ + "name": "Append-Redis-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for Redis server", + "description": "Select version minimum TLS version Azure Cache for Redis to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "value": "[parameters('minimumTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json new file mode 100644 index 00000000..217f9412 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json @@ -0,0 +1,64 @@ +{ + "name": "Audit-MachineLearning-PrivateEndpointId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Control private endpoint connections to Azure Machine Learning", + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status", + "equals": "Approved" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id", + "exists": false + }, + { + "value": "[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]", + "notEquals": "[subscription().subscriptionId]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json new file mode 100644 index 00000000..1b072d72 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-AA-child-resources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "No child resources in Automation Account", + "description": "This policy denies the creation of child resources on the Automation Account", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/variables", + "Microsoft.Automation/automationAccounts/modules", + "Microsoft.Automation/automationAccounts/credentials", + "Microsoft.Automation/automationAccounts/connections", + "Microsoft.Automation/automationAccounts/certificates" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json new file mode 100644 index 00000000..4549f2ae --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-AFSPaasPublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Public network access should be disabled for Azure File Sync", + "description": "Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StorageSync/storageSyncServices" + }, + { + "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy", + "notEquals": "AllowVirtualNetworksOnly" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json new file mode 100644 index 00000000..734e7996 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Application Gateway should be deployed with WAF enabled", + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "field": "Microsoft.Network/applicationGateways/sku.name", + "notequals": "WAF_v2" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json new file mode 100644 index 00000000..52ebe3c0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceApiApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "API App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json new file mode 100644 index 00000000..8a83e5d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceFunctionApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Function App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "functionapp*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json new file mode 100644 index 00000000..d72db789 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceWebApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Web Application should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "app*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json new file mode 100644 index 00000000..0030e2af --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-NoPublicIp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public IPs for Databricks cluster", + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", + "notEquals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json new file mode 100644 index 00000000..8e404a8a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-Sku", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny non-premium Databricks sku", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/sku.name", + "notEquals": "premium" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json new file mode 100644 index 00000000..7042d3a7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-Databricks-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny Databricks workspaces without Vnet injection", + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", + "exists": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json new file mode 100644 index 00000000..e861ade0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json @@ -0,0 +1,59 @@ +{ + "name": "Deny-KeyVaultPaasPublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Preview: Azure Key Vault should disable public network access", + "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.", + "metadata": { + "version": "2.0.0-preview", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "preview": true, + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "not": { + "field": "Microsoft.KeyVault/vaults/createMode", + "equals": "recover" + } + }, + { + "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", + "notEquals": "Deny" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json new file mode 100644 index 00000000..49ce3ee7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-Aks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny AKS cluster creation in Azure Machine Learning", + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AKS" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json new file mode 100644 index 00000000..bec5271b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-MachineLearning-Compute-SubnetId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json new file mode 100644 index 00000000..3574f722 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json @@ -0,0 +1,148 @@ +{ + "name": "Deny-MachineLearning-Compute-VmSize", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "allowedVmSizes": { + "type": "Array", + "metadata": { + "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", + "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" + }, + "defaultValue": [ + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_DS1_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M32-8ms", + "Standard_M32-16ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64s", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128ms", + "Standard_M128s", + "Standard_M64", + "Standard_M64m", + "Standard_M128", + "Standard_M128m", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_DS15_v2", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24rs", + "Standard_ND24s", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24rs_v2", + "Standard_NC24s_v2", + "Standard_ND40rs_v2", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", + "notIn": "[parameters('allowedVmSizes')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json new file mode 100644 index 00000000..32bd4269 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny public access of Azure Machine Learning clusters via SSH", + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "metadata": { + "version": "1.1.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json new file mode 100644 index 00000000..3e285514 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json @@ -0,0 +1,92 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce scale settings for Azure Machine Learning compute clusters", + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "maxNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Count", + "description": "Specifies the maximum node count of AML Clusters" + }, + "defaultValue": 10 + }, + "minNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Node Count", + "description": "Specifies the minimum node count of AML Clusters" + }, + "defaultValue": 0 + }, + "maxNodeIdleTimeInSecondsBeforeScaleDown": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", + "description": "Specifies the maximum node idle time in seconds before scaledown" + }, + "defaultValue": 900 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", + "greater": "[parameters('maxNodeCount')]" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", + "greater": "[parameters('minNodeCount')]" + }, + { + "value": "[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", + "greater": "[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json new file mode 100644 index 00000000..f7e0aa88 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-HbiWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforces high business impact Azure Machine Learning Workspaces", + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json new file mode 100644 index 00000000..808062fd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public acces behind vnet to Azure Machine Learning workspace", + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json new file mode 100644 index 00000000..96bdd75f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-MachineLearning-PublicNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Machine Learning should have disabled public network access", + "description": "Denies public network access for Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json new file mode 100644 index 00000000..a8da0438 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-MySql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "MySQL database servers enforce SSL connections.", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json new file mode 100644 index 00000000..fb396d6a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-PostgreSql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL database servers enforce SSL connection.", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json new file mode 100644 index 00000000..643df1d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny the creation of private DNS", + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json new file mode 100644 index 00000000..529c1964 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-PublicEndpoint-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Public network access should be disabled for MariaDB", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json new file mode 100644 index 00000000..cd073a1f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-PublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny the creation of public IP", + "description": "This policy denies creation of Public IPs under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json new file mode 100644 index 00000000..13ee18ae --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json @@ -0,0 +1,124 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json new file mode 100644 index 00000000..73d491ad --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Redis-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis only secure connections should be enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "description": "Select minimum TLS version for Azure Cache for Redis." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + }, + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json new file mode 100644 index 00000000..f859443e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Sql-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json new file mode 100644 index 00000000..951d1ac1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json new file mode 100644 index 00000000..5b10d486 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json @@ -0,0 +1,91 @@ +{ + "name": "Deny-Storage-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[requestContext().apiVersion]", + "less": "2019-04-01" + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "exists": "false" + } + ] + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json new file mode 100644 index 00000000..73ec47e2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json @@ -0,0 +1,100 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a Network Security Group", + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json new file mode 100644 index 00000000..7bc81d04 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json @@ -0,0 +1,98 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a User Defined Route", + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json new file mode 100644 index 00000000..d9d6dd82 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-VNET-Peer-Cross-Sub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering cross subscription.", + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notcontains": "[subscription().id]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json new file mode 100644 index 00000000..e7f4e9fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json @@ -0,0 +1,88 @@ +{ + "name": "Deny-VNET-Peering-To-Non-Approved-VNETs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering to non-approved vNets", + "description": "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "exists": false + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json new file mode 100644 index 00000000..bf1536fe --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-VNet-Peering", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering ", + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json new file mode 100644 index 00000000..073ac31e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json @@ -0,0 +1,129 @@ +{ + "name": "Deploy-ASC-SecurityContacts", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Azure Security Center Security Contacts", + "description": "Deploy Azure Security Center Security Contacts", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/securityContacts", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/email", + "contains": "[parameters('emailSecurityContact')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/securityContacts" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications", + "equals": "On" + }, + { + "field": "Microsoft.Security/securityContacts/alertsToAdmins", + "equals": "On" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Security contacts email address" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/securityContacts", + "name": "default", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "[parameters('emailSecurityContact')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json new file mode 100644 index 00000000..4cd913b8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json @@ -0,0 +1,158 @@ +{ + "name": "Deploy-ActivityLogs-to-LA-workspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "deployment": { + "location": "chinaeast2", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalytics": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "subscriptionToLa", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "Global", + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Administrative", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Security", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ServiceHealth", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Alert", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Recommendation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Policy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ResourceHealth", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json new file mode 100644 index 00000000..127bdb0f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json @@ -0,0 +1,238 @@ +{ + "name": "Deploy-Budget", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy a default budget on all subscriptions under the assigned scope", + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "metadata": { + "version": "1.1.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "description": "Enable or disable the execution of the policy" + } + }, + "budgetName": { + "type": "String", + "defaultValue": "budget-set-by-policy", + "metadata": { + "description": "The name for the budget to be created" + } + }, + "amount": { + "type": "String", + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget" + } + }, + "timeGrain": { + "type": "String", + "defaultValue": "Monthly", + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain." + } + }, + "firstThreshold": { + "type": "String", + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "secondThreshold": { + "type": "String", + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "contactRoles": { + "type": "Array", + "defaultValue": [ + "Owner", + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactEmails": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactGroups": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Consumption/budgets", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Consumption/budgets/amount", + "equals": "[parameters('amount')]" + }, + { + "field": "Microsoft.Consumption/budgets/timeGrain", + "equals": "[parameters('timeGrain')]" + }, + { + "field": "Microsoft.Consumption/budgets/category", + "equals": "Cost" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "budgetName": { + "value": "[parameters('budgetName')]" + }, + "amount": { + "value": "[parameters('amount')]" + }, + "timeGrain": { + "value": "[parameters('timeGrain')]" + }, + "firstThreshold": { + "value": "[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[parameters('secondThreshold')]" + }, + "contactEmails": { + "value": "[parameters('contactEmails')]" + }, + "contactRoles": { + "value": "[parameters('contactRoles')]" + }, + "contactGroups": { + "value": "[parameters('contactGroups')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "budgetName": { + "type": "String" + }, + "amount": { + "type": "String" + }, + "timeGrain": { + "type": "String" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "contactGroups": { + "type": "Array" + }, + "startDate": { + "type": "String", + "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Consumption/budgets", + "apiVersion": "2019-10-01", + "name": "[parameters('budgetName')]", + "properties": { + "timePeriod": { + "startDate": "[parameters('startDate')]" + }, + "timeGrain": "[parameters('timeGrain')]", + "amount": "[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + }, + "NotificationForExceededBudget2": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('secondThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + } + } + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json new file mode 100644 index 00000000..29bef0fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Custom-Route-Table", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy a route table with specific user defined routes", + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "requiredRoutes": { + "type": "Array", + "metadata": { + "displayName": "requiredRoutes", + "description": "Routes that must exist in compliant route tables deployed by this policy" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "vnetRegion", + "description": "Only VNets in this region will be evaluated against this policy" + } + }, + "routeTableName": { + "type": "String", + "metadata": { + "displayName": "routeTableName", + "description": "Name of the route table automatically deployed by this policy" + } + }, + "disableBgpPropagation": { + "type": "Boolean", + "metadata": { + "displayName": "DisableBgpPropagation", + "description": "Disable BGP Propagation" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "existenceCondition": { + "allOf": [ + { + "field": "name", + "equals": "[parameters('routeTableName')]" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "value": "[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]", + "in": "[parameters('requiredRoutes')]" + } + }, + "equals": "[length(parameters('requiredRoutes'))]" + } + ] + }, + "roleDefinitionIds": [ + "/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "variables": { + "copyLoop": [ + { + "name": "routes", + "count": "[[length(parameters('requiredRoutes'))]", + "input": { + "name": "[[concat('route-',copyIndex('routes'))]", + "properties": { + "addressPrefix": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]", + "nextHopType": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]", + "nextHopIpAddress": "[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]" + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "routeTableDepl", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2021-02-01", + "name": "[[parameters('routeTableName')]", + "location": "[[parameters('vnetRegion')]", + "properties": { + "disableBgpRoutePropagation": "[[parameters('disableBgpPropagation')]", + "copy": "[variables('copyLoop')]" + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json new file mode 100644 index 00000000..85255130 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json @@ -0,0 +1,150 @@ +{ + "name": "Deploy-DDoSProtection", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy an Azure DDoS Network Protection", + "description": "Deploys an Azure DDoS Network Protection", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "ddosName": { + "type": "String", + "metadata": { + "displayName": "ddosName", + "description": "DDoSVnet" + } + }, + "ddosRegion": { + "type": "String", + "metadata": { + "displayName": "ddosRegion", + "description": "DDoSVnet location", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/ddosProtectionPlans", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "name": "[parameters('ddosName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "ddosname": { + "value": "[parameters('ddosname')]" + }, + "ddosregion": { + "value": "[parameters('ddosRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "ddosname": { + "type": "String" + }, + "ddosRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "ddosprotection", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-12-01", + "name": "[parameters('ddosName')]", + "location": "[parameters('ddosRegion')]", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json new file mode 100644 index 00000000..23d62b31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json @@ -0,0 +1,133 @@ +{ + "name": "Deploy-Default-Udr", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy a user-defined route to a VNET with specific routes.", + "description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "defaultRoute": { + "type": "String", + "metadata": { + "displayName": "Default route to add into UDR", + "description": "Policy will deploy a default route table to a vnet" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "VNet Region", + "description": "Regional VNet hub location", + "strongType": "location" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress", + "equals": "[parameters('defaultRoute')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "udrName": { + "value": "[concat(field('name'),'-udr')]" + }, + "udrLocation": { + "value": "[field('location')]" + }, + "defaultRoute": { + "value": "[parameters('defaultRoute')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "udrName": { + "type": "string" + }, + "udrLocation": { + "type": "string" + }, + "defaultRoute": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "name": "[parameters('udrName')]", + "apiVersion": "2020-08-01", + "location": "[parameters('udrLocation')]", + "properties": { + "routes": [ + { + "name": "AzureFirewallRoute", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('defaultRoute')]" + } + } + ] + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json new file mode 100644 index 00000000..fee8ee21 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json @@ -0,0 +1,201 @@ +{ + "name": "Deploy-Diagnostics-AA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "JobLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobStreams", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DscNodeStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AuditEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json new file mode 100644 index 00000000..2ab193db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-ACI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerInstance/containerGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json new file mode 100644 index 00000000..fac00d21 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-ACR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ContainerRegistryLoginEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ContainerRegistryRepositoryEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json new file mode 100644 index 00000000..0729d45e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-APIMgmt", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "WebSocketConnectionLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json new file mode 100644 index 00000000..631957ec --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Diagnostics-AVDScalingPlans", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json new file mode 100644 index 00000000..0b699182 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-AnalysisService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Service", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json new file mode 100644 index 00000000..3c43b2d8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ApiForFHIR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json new file mode 100644 index 00000000..4362a337 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-ApplicationGateway", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json new file mode 100644 index 00000000..8958c29e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Bastion", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json new file mode 100644 index 00000000..618a4d6b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-CDNEndpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "CoreAnalytics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json new file mode 100644 index 00000000..fbf8a0e5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-CognitiveServices", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RequestResponse", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Trace", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json new file mode 100644 index 00000000..7979a23c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json @@ -0,0 +1,217 @@ +{ + "name": "Deploy-Diagnostics-CosmosDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MongoRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyRUConsumption", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ControlPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "CassandraRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "GremlinRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json new file mode 100644 index 00000000..43e223d8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-DLAnalytics", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeAnalytics/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Requests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json new file mode 100644 index 00000000..8faad53c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Diagnostics-DataExplorerCluster", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "SucceededIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FailedIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IngestionBatching", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Command", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Query", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableUsageStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableDetails", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json new file mode 100644 index 00000000..af901140 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json @@ -0,0 +1,221 @@ +{ + "name": "Deploy-Diagnostics-DataFactory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ActivityRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TriggerRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessages", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutableStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessageContext", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionComponentPhases", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionDataStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISIntegrationRuntimeLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json new file mode 100644 index 00000000..3149b1ae --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json @@ -0,0 +1,192 @@ +{ + "name": "Deploy-Diagnostics-Databricks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "dbfs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clusters", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "accounts", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "jobs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "notebook", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ssh", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "workspace", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "secrets", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "sqlPermissions", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "instancePools", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json new file mode 100644 index 00000000..c77b4eb3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-EventGridSub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/eventSubscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json new file mode 100644 index 00000000..51ed84ae --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json new file mode 100644 index 00000000..21c357f6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-EventGridTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PublishFailures", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json new file mode 100644 index 00000000..25aa3628 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ExpressRoute", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PeeringRouteLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json new file mode 100644 index 00000000..26491ba6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json @@ -0,0 +1,241 @@ +{ + "name": "Deploy-Diagnostics-Firewall", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWThreatIntel", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWIdpsSignature", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWDnsQuery", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFqdnResolveFailure", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFatFlow", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json new file mode 100644 index 00000000..d7fa9f3c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-FrontDoor", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FrontdoorAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FrontdoorWebApplicationFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json new file mode 100644 index 00000000..bcde0b94 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-Function", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json new file mode 100644 index 00000000..b2a779ec --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-HDInsight", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HDInsight/clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json new file mode 100644 index 00000000..69898554 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-LoadBalancer", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "LoadBalancerAlertEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "LoadBalancerProbeHealthStatus", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json new file mode 100644 index 00000000..1d562829 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-LogicAppsISE", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "IntegrationAccountTrackingEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json new file mode 100644 index 00000000..773ef7fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json new file mode 100644 index 00000000..c98506e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-MediaService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Media/mediaServices" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Media/mediaServices/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "KeyDeliveryRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json new file mode 100644 index 00000000..6df9c247 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json @@ -0,0 +1,288 @@ +{ + "name": "Deploy-Diagnostics-MlWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeJobEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsActionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ComputeInstanceEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentReadEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json new file mode 100644 index 00000000..1048f2fa --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MySQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json new file mode 100644 index 00000000..daca6b48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NIC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkInterfaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json new file mode 100644 index 00000000..e7843361 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json new file mode 100644 index 00000000..9ab8c8b9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-PostgreSQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json new file mode 100644 index 00000000..e3988dbf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json new file mode 100644 index 00000000..44f70db1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-RedisCache", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cache/redis/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json new file mode 100644 index 00000000..f8595c85 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Relay", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "HybridConnectionsEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json new file mode 100644 index 00000000..2cf6fe69 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-SQLElasticPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/elasticPools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json new file mode 100644 index 00000000..d838026c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-SQLMI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "ResourceUsageStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json new file mode 100644 index 00000000..e9a395c1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json @@ -0,0 +1,185 @@ +{ + "name": "Deploy-Diagnostics-SignalR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.SignalRService/SignalR" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AllLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json new file mode 100644 index 00000000..ca3dfcc2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Ingress", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json new file mode 100644 index 00000000..2bd6593b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-TrafficManager", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ProbeHealthStatusEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json new file mode 100644 index 00000000..fe19ea18 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VM", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json new file mode 100644 index 00000000..3adea471 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VMSS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json new file mode 100644 index 00000000..04f12023 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json @@ -0,0 +1,209 @@ +{ + "name": "Deploy-Diagnostics-VNetGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworkGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "P2SDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json new file mode 100644 index 00000000..9dbde3a3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json @@ -0,0 +1,188 @@ +{ + "name": "Deploy-Diagnostics-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json new file mode 100644 index 00000000..5db3014d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-WVDAppGroup", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json new file mode 100644 index 00000000..172476b3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json @@ -0,0 +1,184 @@ +{ + "name": "Deploy-Diagnostics-WVDHostPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Connection", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "HostRegistration", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AgentHealthStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkData", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SessionHostManagement", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json new file mode 100644 index 00000000..215102a4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json @@ -0,0 +1,168 @@ +{ + "name": "Deploy-Diagnostics-WVDWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Feed", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json new file mode 100644 index 00000000..ba52b224 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-WebServerFarm", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json new file mode 100644 index 00000000..ef9a668d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json @@ -0,0 +1,229 @@ +{ + "name": "Deploy-Diagnostics-Website", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json new file mode 100644 index 00000000..2ab78fb4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json @@ -0,0 +1,241 @@ +{ + "name": "Deploy-Diagnostics-iotHub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Devices/IotHubs" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Connections", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceTelemetry", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DCommands", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceIdentityOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FileUploadOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Routes", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "D2CTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TwinQueries", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobsOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DirectMethods", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DistributedTracing", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Configurations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceStreams", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json new file mode 100644 index 00000000..ede0b6cf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json @@ -0,0 +1,167 @@ +{ + "name": "Deploy-FirewallPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Azure Firewall Manager policy in the subscription", + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "fwpolicy": { + "type": "Object", + "metadata": { + "displayName": "fwpolicy", + "description": "Object describing Azure Firewall Policy" + }, + "defaultValue": {} + }, + "fwPolicyRegion": { + "type": "String", + "metadata": { + "displayName": "fwPolicyRegion", + "description": "Select Azure region for Azure Firewall Policy", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/firewallPolicies", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "fwPolicy": { + "value": "[parameters('fwPolicy')]" + }, + "fwPolicyRegion": { + "value": "[parameters('fwPolicyRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "fwPolicy": { + "type": "object" + }, + "fwPolicyRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "fwpolicies", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').firewallPolicyName]", + "location": "[parameters('fwpolicy').location]", + "dependsOn": [], + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "ruleGroups", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').ruleGroups.name]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]" + ], + "properties": { + "priority": "[parameters('fwpolicy').ruleGroups.properties.priority]", + "rules": "[parameters('fwpolicy').ruleGroups.properties.rules]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json new file mode 100644 index 00000000..7e7290ea --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-MySQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect minimum TLS version Azure Database for MySQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json new file mode 100644 index 00000000..ea817744 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json @@ -0,0 +1,62 @@ +{ + "name": "Deploy-MySQLCMKEffect", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "MySQL servers should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "metadata": { + "version": "1.0.4", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers/keys", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/keys/serverKeyType", + "equals": "AzureKeyVault" + }, + { + "field": "Microsoft.DBforMySQL/servers/keys/uri", + "notEquals": "" + }, + { + "field": "Microsoft.DBforMySQL/servers/keys/uri", + "exists": "true" + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json new file mode 100644 index 00000000..cee5f35b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json @@ -0,0 +1,234 @@ +{ + "name": "Deploy-Nsg-FlowLogs-to-LA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "metadata": { + "deprecated": true, + "version": "1.1.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "interval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "workspace": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowlogs", + "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + } + ] + }, + "existenceScope": "resourceGroup", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "deploymentScope": "subscription", + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "location": { + "value": "[field('location')]" + }, + "networkSecurityGroup": { + "value": "[field('id')]" + }, + "workspace": { + "value": "[parameters('workspace')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "interval": { + "value": "[parameters('interval')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "workspace": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "interval": { + "type": "int" + }, + "time": { + "type": "String", + "defaultValue": "[utcNow()]" + } + }, + "variables": { + "resourceGroupName": "[split(parameters('networkSecurityGroup'), '/')[4]]", + "securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]", + "storageAccountName": "[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]", + "resourceGroup": "[variables('resourceGroupName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "properties": {}, + "kind": "StorageV2", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]", + "resourceGroup": "NetworkWatcherRG", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-05-01", + "name": "[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[parameters('location')]", + "properties": {}, + "resources": [ + { + "type": "flowLogs", + "apiVersion": "2019-11-01", + "name": "[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[parameters('location')]", + "properties": { + "enabled": true, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[parameters('retention')]", + "enabled": true + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "trafficAnalyticsInterval": "[parameters('interval')]", + "workspaceResourceId": "[parameters('workspace')]" + } + }, + "storageId": "[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "targetResourceId": "[parameters('networkSecurityGroup')]" + }, + "dependsOn": [ + "[concat('NetworkWatcher_', toLower(parameters('location')))]" + ] + } + ] + } + ] + } + }, + "dependsOn": [ + "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]" + ] + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json new file mode 100644 index 00000000..2a504dd4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "strongType": "Microsoft.Storage/storageAccounts" + } + }, + "trafficAnalyticsInterval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "flowAnalyticsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable Traffic Analytics" + }, + "defaultValue": false + }, + "logAnalytics": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "resourceGroupName": "NetworkWatcherRG", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[parameters('flowAnalyticsEnabled')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "networkSecurityGroupName": { + "value": "[field('name')]" + }, + "resourceGroupName": { + "value": "[resourceGroup().name]" + }, + "location": { + "value": "[field('location')]" + }, + "storageAccountResourceId": { + "value": "[parameters('storageAccountResourceId')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "flowAnalyticsEnabled": { + "value": "[parameters('flowAnalyticsEnabled')]" + }, + "trafficAnalyticsInterval": { + "value": "[parameters('trafficAnalyticsInterval')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "String" + }, + "resourceGroupName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "storageAccountResourceId": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "flowAnalyticsEnabled": { + "type": "bool" + }, + "trafficAnalyticsInterval": { + "type": "int" + }, + "logAnalytics": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "name": "[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]", + "location": "[parameters('location')]", + "properties": { + "targetResourceId": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[parameters('storageAccountResourceId')]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('retention')]" + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[parameters('trafficAnalyticsInterval')]", + "workspaceId": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]", + "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]" + } + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json new file mode 100644 index 00000000..d644cc23 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json @@ -0,0 +1,139 @@ +{ + "name": "Deploy-PostgreSQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Database for PostgreSQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notEquals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json new file mode 100644 index 00000000..3c5c683b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json @@ -0,0 +1,62 @@ +{ + "name": "Deploy-PostgreSQLCMKEffect", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "metadata": { + "version": "1.0.4", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers/keys", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/keys/serverKeyType", + "equals": "AzureKeyVault" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/keys/uri", + "notEquals": "" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/keys/uri", + "exists": "true" + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json new file mode 100644 index 00000000..fbf43d5a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json @@ -0,0 +1,121 @@ +{ + "name": "Deploy-Private-DNS-Azure-File-Sync", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Azure File Sync to use private DNS zones", + "description": "To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "afs" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "privatelink-afs", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json new file mode 100644 index 00000000..39500ade --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json @@ -0,0 +1,122 @@ +{ + "name": "Deploy-Private-DNS-Azure-KeyVault", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Preview: Configure Azure Key Vaults to use private DNS zones", + "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.", + "metadata": { + "version": "1.0.0-preview", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "preview": true, + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID", + "description": "A private DNS zone ID to connect to the private endpoint.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "vault" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "keyvault-privateDnsZone", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json new file mode 100644 index 00000000..c677c5dd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json @@ -0,0 +1,120 @@ +{ + "name": "Deploy-Private-DNS-Azure-Web", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Azure Web PubSub Service to use private DNS zones", + "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.", + "metadata": { + "version": "1.0.0", + "category": "Web PubSub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone Id", + "description": "Private DNS zone to integrate with private endpoint.", + "strongType": "Microsoft.Network/privateDnsZones" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "webpubsub" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "privatelink-webpubsub-azure-com", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json new file mode 100644 index 00000000..07fa3ffb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SQL-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL servers deploys a specific min TLS version requirement.", + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2019-06-01-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json new file mode 100644 index 00000000..dba8a54d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-Sql-AuditingSettings", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "name": "default", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/state", + "equals": "enabled" + }, + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled", + "equals": "true" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2017-03-01-preview", + "properties": { + "state": "enabled", + "auditActionsAndGroups": [ + "BATCH_COMPLETED_GROUP", + "DATABASE_OBJECT_CHANGE_GROUP", + "SCHEMA_OBJECT_CHANGE_GROUP", + "BACKUP_RESTORE_GROUP", + "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP", + "DATABASE_PRINCIPAL_CHANGE_GROUP", + "DATABASE_PRINCIPAL_IMPERSONATION_GROUP", + "DATABASE_ROLE_MEMBER_CHANGE_GROUP", + "USER_CHANGE_PASSWORD_GROUP", + "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP", + "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP", + "DATABASE_PERMISSION_CHANGE_GROUP", + "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP", + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP" + ], + "isAzureMonitorTargetEnabled": true + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json new file mode 100644 index 00000000..426cafee --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json @@ -0,0 +1,112 @@ +{ + "name": "Deploy-Sql-SecurityAlertPolicies", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2018-06-01-preview", + "properties": { + "state": "Enabled", + "disabledAlerts": [ + "" + ], + "emailAddresses": [ + "admin@contoso.com" + ], + "emailAccountAdmins": true, + "storageEndpoint": null, + "storageAccountAccessKey": "", + "retentionDays": 0 + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json new file mode 100644 index 00000000..b8c756ef --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json @@ -0,0 +1,102 @@ +{ + "name": "Deploy-Sql-Tde", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/transparentDataEncryption.status", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]", + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "properties": { + "status": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json new file mode 100644 index 00000000..5b254fd7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json @@ -0,0 +1,141 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails", + "equals": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": [ + "[parameters('vulnerabilityAssessmentsEmail')]" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json new file mode 100644 index 00000000..237c536c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL managed instances deploy a specific min TLS version requirement.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/managedInstances", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2020-02-02-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json new file mode 100644 index 00000000..8835ff5e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-Storage-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", + "metadata": { + "version": "1.1.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Storage", + "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Select TLS version for Azure Storage server", + "description": "Select version minimum TLS version Azure STorage to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "notEquals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notEquals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "equals": "[parameters('minimumTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimumTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "[parameters('minimumTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimumTlsVersion": { + "value": "[parameters('minimumTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json new file mode 100644 index 00000000..76e21fcd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json @@ -0,0 +1,309 @@ +{ + "name": "Deploy-VNET-HubSpoke", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Virtual Network with peering to the hub", + "description": "This policy deploys virtual network and peer to the hub", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vNetName": { + "type": "String", + "metadata": { + "displayName": "vNetName", + "description": "Name of the landing zone vNet" + } + }, + "vNetRgName": { + "type": "String", + "metadata": { + "displayName": "vNetRgName", + "description": "Name of the landing zone vNet RG" + } + }, + "vNetLocation": { + "type": "String", + "metadata": { + "displayName": "vNetLocation", + "description": "Location for the vNet" + } + }, + "vNetCidrRange": { + "type": "String", + "metadata": { + "displayName": "vNetCidrRange", + "description": "CIDR Range for the vNet" + } + }, + "hubResourceId": { + "type": "String", + "metadata": { + "displayName": "hubResourceId", + "description": "Resource ID for the HUB vNet" + } + }, + "dnsServers": { + "type": "Array", + "metadata": { + "displayName": "DNSServers", + "description": "Default domain servers for the vNET." + }, + "defaultValue": [] + }, + "vNetPeerUseRemoteGateway": { + "type": "Boolean", + "metadata": { + "displayName": "vNetPeerUseRemoteGateway", + "description": "Enable gateway transit for the LZ network" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualNetworks", + "name": "[parameters('vNetName')]", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "ResourceGroupName": "[parameters('vNetRgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[parameters('vNetName')]" + }, + { + "field": "location", + "equals": "[parameters('vNetLocation')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "vNetRgName": { + "value": "[parameters('vNetRgName')]" + }, + "vNetName": { + "value": "[parameters('vNetName')]" + }, + "vNetLocation": { + "value": "[parameters('vNetLocation')]" + }, + "vNetCidrRange": { + "value": "[parameters('vNetCidrRange')]" + }, + "hubResourceId": { + "value": "[parameters('hubResourceId')]" + }, + "dnsServers": { + "value": "[parameters('dnsServers')]" + }, + "vNetPeerUseRemoteGateway": { + "value": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "String" + }, + "vNetName": { + "type": "String" + }, + "vNetLocation": { + "type": "String" + }, + "vNetCidrRange": { + "type": "String" + }, + "vNetPeerUseRemoteGateway": { + "type": "bool", + "defaultValue": false + }, + "hubResourceId": { + "type": "String" + }, + "dnsServers": { + "type": "Array", + "defaultValue": [] + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2021-04-01", + "name": "[parameters('vNetRgName')]", + "location": "[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "dependsOn": [ + "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-02-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[parameters('dnsServers')]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2021-02-01", + "name": "[concat(parameters('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "subscriptionId": "[split(parameters('hubResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('hubResourceId'),'/')[4]]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "String", + "defaultValue": false + }, + "hubName": { + "type": "String", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2021-02-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "hubName": { + "value": "[split(parameters('hubResourceId'),'/')[8]]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[parameters('vNetRgName')]" + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json new file mode 100644 index 00000000..6e7244f0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json @@ -0,0 +1,261 @@ +{ + "name": "Deploy-Windows-DomainJoin", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Windows Domain Join Extension with keyvault configuration", + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "domainUsername": { + "type": "String", + "metadata": { + "displayName": "domainUsername" + } + }, + "domainPassword": { + "type": "String", + "metadata": { + "displayName": "domainPassword" + } + }, + "domainFQDN": { + "type": "String", + "metadata": { + "displayName": "domainFQDN" + } + }, + "domainOUPath": { + "type": "String", + "metadata": { + "displayName": "domainOUPath" + } + }, + "keyVaultResourceId": { + "type": "String", + "metadata": { + "displayName": "keyVaultResourceId" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2008-R2-SP1-zhcn", + "2012-Datacenter", + "2012-datacenter-gensecond", + "2012-Datacenter-smalldisk", + "2012-datacenter-smalldisk-g2", + "2012-Datacenter-zhcn", + "2012-datacenter-zhcn-g2", + "2012-R2-Datacenter", + "2012-r2-datacenter-gensecond", + "2012-R2-Datacenter-smalldisk", + "2012-r2-datacenter-smalldisk-g2", + "2012-R2-Datacenter-zhcn", + "2012-r2-datacenter-zhcn-g2", + "2016-Datacenter", + "2016-datacenter-gensecond", + "2016-datacenter-gs", + "2016-Datacenter-Server-Core", + "2016-datacenter-server-core-g2", + "2016-Datacenter-Server-Core-smalldisk", + "2016-datacenter-server-core-smalldisk-g2", + "2016-Datacenter-smalldisk", + "2016-datacenter-smalldisk-g2", + "2016-Datacenter-with-Containers", + "2016-datacenter-with-containers-g2", + "2016-Datacenter-with-RDSH", + "2016-Datacenter-zhcn", + "2016-datacenter-zhcn-g2", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-datacenter-core-g2", + "2019-Datacenter-Core-smalldisk", + "2019-datacenter-core-smalldisk-g2", + "2019-Datacenter-Core-with-Containers", + "2019-datacenter-core-with-containers-g2", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-datacenter-core-with-containers-smalldisk-g2", + "2019-datacenter-gensecond", + "2019-datacenter-gs", + "2019-Datacenter-smalldisk", + "2019-datacenter-smalldisk-g2", + "2019-Datacenter-with-Containers", + "2019-datacenter-with-containers-g2", + "2019-Datacenter-with-Containers-smalldisk", + "2019-datacenter-with-containers-smalldisk-g2", + "2019-Datacenter-zhcn", + "2019-datacenter-zhcn-g2", + "Datacenter-Core-1803-with-Containers-smalldisk", + "datacenter-core-1803-with-containers-smalldisk-g2", + "Datacenter-Core-1809-with-Containers-smalldisk", + "datacenter-core-1809-with-containers-smalldisk-g2", + "Datacenter-Core-1903-with-Containers-smalldisk", + "datacenter-core-1903-with-containers-smalldisk-g2", + "datacenter-core-1909-with-containers-smalldisk", + "datacenter-core-1909-with-containers-smalldisk-g1", + "datacenter-core-1909-with-containers-smalldisk-g2" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "JsonADDomainExtension" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Compute" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "domainUsername": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainUsername')]" + } + }, + "domainPassword": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainPassword')]" + } + }, + "domainOUPath": { + "value": "[parameters('domainOUPath')]" + }, + "domainFQDN": { + "value": "[parameters('domainFQDN')]" + }, + "keyVaultResourceId": { + "value": "[parameters('keyVaultResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "domainUsername": { + "type": "String" + }, + "domainPassword": { + "type": "securestring" + }, + "domainFQDN": { + "type": "String" + }, + "domainOUPath": { + "type": "String" + }, + "keyVaultResourceId": { + "type": "String" + } + }, + "variables": { + "domainJoinOptions": 3, + "vmName": "[parameters('vmName')]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(variables('vmName'),'/joindomain')]", + "location": "[resourceGroup().location]", + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[parameters('domainFQDN')]", + "User": "[parameters('domainUserName')]", + "Restart": "true", + "Options": "[variables('domainJoinOptions')]", + "OUPath": "[parameters('domainOUPath')]" + }, + "protectedSettings": { + "Password": "[parameters('domainPassword')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt new file mode 100644 index 00000000..79c28482 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt @@ -0,0 +1,908 @@ +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } +] + + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsMcDeployMDFCConfigParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsMcDeploySqlSecurityParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptTransitParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json') + diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json new file mode 100644 index 00000000..b6e19067 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json @@ -0,0 +1,256 @@ +{ + "name": "Deny-PublicPaaSEndpoints", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json new file mode 100644 index 00000000..ca7aa1f7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json @@ -0,0 +1,72 @@ +{ + "ACRDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + } + }, + "AFSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + } + }, + "AKSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + } + }, + "BatchDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + } + }, + "CosmosDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + } + }, + "KeyVaultDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + } + }, + "MySQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + } + }, + "PostgreSQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + } + }, + "SqlServerDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + } + }, + "StorageDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json new file mode 100644 index 00000000..cfcc6a14 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json @@ -0,0 +1,1819 @@ +{ + "name": "Deploy-Diagnostics-LogAnalytics", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "metadata": { + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics workspace", + "strongType": "omsWorkspace" + }, + "type": "String" + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "ACILogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled." + } + }, + "ACRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled." + } + }, + "AKSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AnalysisServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIforFHIRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ApplicationGatewayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AutomationLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BastionLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BatchLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CDNEndpointsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CognitiveServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CosmosLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DatabricksLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataExplorerClusterLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataFactoryLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeStoreLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridSubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventSystemTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ExpressRouteLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FrontDoorLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FunctionAppLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "HDInsightLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "IotHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "KeyVaultLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LoadBalancerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsISELogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsWFLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MariaDBLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MediaServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MlWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MySQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkSecurityGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkNICLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PostgreSQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PowerBIEmbeddedLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkPublicIPNicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RedisCacheLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RelayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SearchServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SignalRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLDBsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLElasticPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLMLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StreamAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TimeSeriesInsightsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TrafficManagerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualNetworkLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualMachinesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VMSSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VNetGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AppServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AppServiceWebappLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AVDScalingPlansLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDAppGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDHostPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StorageAccountsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "StorageAccountDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json new file mode 100644 index 00000000..0fc6d8aa --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json @@ -0,0 +1,818 @@ +{ + "ACIDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ACRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AKSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIforFHIRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIMgmtDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AutomationDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BastionDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BatchDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CosmosDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DatabricksDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataFactoryDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridSubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ExpressRouteDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FirewallDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FrontDoorDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FunctionAppDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "HDInsightDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "IotHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "KeyVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LoadBalancerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MariaDBDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MediaServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MySQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkNICDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + } + }, + "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PostgreSQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RedisCacheDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RelayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SearchServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ServiceBusDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SignalRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLMDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + } + } + }, + "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TrafficManagerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VMSSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VNetGWDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json new file mode 100644 index 00000000..5d33f709 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json @@ -0,0 +1,268 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "3.1.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForDns": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "Effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForDns", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json new file mode 100644 index 00000000..f1ea4df5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json @@ -0,0 +1,57 @@ +{ + "ascExport": { + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "defenderForArm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + } + }, + "defenderforContainers": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForDns": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + } + }, + "defenderForSqlPaas": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + } + }, + "defenderForVM": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + } + }, + "securityEmailContact": { + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json new file mode 100644 index 00000000..dd8d18bc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json @@ -0,0 +1,470 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "azureFilePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureWebPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureBatchPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureBatchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAppPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAsrPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAsrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureIotPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureKeyVaultPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureKeyVaultPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSignalRPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureSignalRPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppServicesPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAppServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventGridTopicsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDiskAccessPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureDiskAccessPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureCognitiveServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotHubsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureIotHubsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventGridDomainsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureRedisCachePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureRedisCachePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAcrPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAcrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventHubNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureServiceBusNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureCognitiveSearchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "effect1": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "deployIfNotExists", + "Disabled" + ], + "defaultValue": "deployIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json new file mode 100644 index 00000000..0c0ca860 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json @@ -0,0 +1,202 @@ +{ + "DINE-Private-DNS-Azure-ACR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-App": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-AppServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Batch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveSearch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DiskAccess": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridDomains": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridTopics": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventHubNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-File-Sync": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoT": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoTHubs": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-KeyVault": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MachineLearningWorkspace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-RedisCache": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-ServiceBusNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-SignalR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Site-Recovery": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Web": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json new file mode 100644 index 00000000..4a22068f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json @@ -0,0 +1,134 @@ +{ + "name": "Deploy-Sql-Security", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json new file mode 100644 index 00000000..d954e7bc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json @@ -0,0 +1,36 @@ +{ + "SqlDbAuditingSettingsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbTdeDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json new file mode 100644 index 00000000..ce2e374e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json @@ -0,0 +1,640 @@ +{ + "name": "Enforce-EncryptTransit", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service API App. Latest TLS version should be used in your API App", + "description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json new file mode 100644 index 00000000..f0b39e61 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json @@ -0,0 +1,195 @@ +{ + "AKSIngressHttpsOnlyEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + } + }, + "APIAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + } + }, + "APIAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceLatestTlsEffect')]" + } + } + }, + "AppServiceHttpEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + } + }, + "AppServiceminTlsVersion": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + } + }, + "FunctionLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + } + }, + "FunctionServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + } + }, + "MySQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "MySQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "RedisDenyhttps": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "RedisdisableNonSslPort": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + } + }, + "RedisTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLServerTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "SQLServerTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "StorageDeployHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "StorageHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "WebAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + } + }, + "WebAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json new file mode 100644 index 00000000..9bde2b19 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json @@ -0,0 +1,365 @@ +{ + "name": "Enforce-Encryption-CMK", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json new file mode 100644 index 00000000..343d3d54 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json @@ -0,0 +1,107 @@ +{ + "ACRCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + } + }, + "AksCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + } + }, + "AzureBatchCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + } + }, + "CognitiveServicesCMK": { + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + } + }, + "CosmosCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + } + }, + "DataBoxCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + } + }, + "EncryptedVMDisksEffect": { + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + } + }, + "HealthcareAPIsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + } + }, + "MySQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + } + }, + "PostgreSQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + } + }, + "SqlServerTDECMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + } + }, + "StorageCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + } + }, + "StreamAnalyticsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + } + }, + "SynapseWorkspaceCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + } + }, + "WorkspaceCMK": { + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json new file mode 100644 index 00000000..a8c1cb18 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json @@ -0,0 +1,59 @@ +{ + "name": "Append-AppService-httpsonly", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append enable https only setting to enforce https setting.", + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "notequals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json new file mode 100644 index 00000000..628ae5b6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json @@ -0,0 +1,72 @@ +{ + "name": "Append-AppService-latestTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append sites with minimum TLS version to enforce.", + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.1.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Select version minimum TLS Web App config", + "description": "Select version minimum TLS version for a Web App config to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "exists": "true" + }, + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "notEquals": "[parameters('minTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "value": "[parameters('minTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json new file mode 100644 index 00000000..9c3410d8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json @@ -0,0 +1,50 @@ +{ + "name": "Append-KV-SoftDelete", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "KeyVault SoftDelete should be enabled", + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "append", + "details": [ + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json new file mode 100644 index 00000000..ab9a451f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json @@ -0,0 +1,63 @@ +{ + "name": "Append-Redis-disableNonSslPort", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "value": false + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json new file mode 100644 index 00000000..81742638 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json @@ -0,0 +1,76 @@ +{ + "name": "Append-Redis-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for Redis server", + "description": "Select version minimum TLS version Azure Cache for Redis to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "value": "[parameters('minimumTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json new file mode 100644 index 00000000..0f173379 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json @@ -0,0 +1,88 @@ +{ + "name": "Audit-AzureHybridBenefit", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Audit AHUB for eligible VMs", + "description": "Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets" + ] + }, + { + "equals": "MicrosoftWindowsServer", + "field": "Microsoft.Compute/imagePublisher" + }, + { + "equals": "WindowsServer", + "field": "Microsoft.Compute/imageOffer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2022-*" + } + ] + }, + { + "field": "Microsoft.Compute/licenseType", + "notEquals": "Windows_Server" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json new file mode 100644 index 00000000..2b9535e8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json @@ -0,0 +1,69 @@ +{ + "name": "Audit-Disks-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Unused Disks driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/diskState", + "equals": "Unattached" + }, + { + "allof": [ + { + "field": "name", + "notlike": "*-ASRReplica" + }, + { + "field": "name", + "notlike": "ms-asr-*" + }, + { + "field": "name", + "notlike": "asrseeddisk-*" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json new file mode 100644 index 00000000..217f9412 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json @@ -0,0 +1,64 @@ +{ + "name": "Audit-MachineLearning-PrivateEndpointId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Control private endpoint connections to Azure Machine Learning", + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status", + "equals": "Approved" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id", + "exists": false + }, + { + "value": "[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]", + "notEquals": "[subscription().subscriptionId]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json new file mode 100644 index 00000000..21e247a0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -0,0 +1,126 @@ +{ + "name": "Audit-PrivateLinkDnsZones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Audit the creation of Private Link Private DNS Zones", + "description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "privateLinkDnsZones": { + "type": "Array", + "metadata": { + "displayName": "Private Link Private DNS Zones", + "description": "An array of Private Link Private DNS Zones to check for the existence of in the assigned scope." + }, + "defaultValue": [ + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + { + "field": "name", + "in": "[parameters('privateLinkDnsZones')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json new file mode 100644 index 00000000..ac9b4f18 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json @@ -0,0 +1,89 @@ +{ + "name": "Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Unused Public IP addresses driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.network/publicIpAddresses" + }, + { + "field": "Microsoft.Network/publicIPAddresses/sku.name", + "notEquals": "Basic" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/natGateway", + "exists": false + }, + { + "value": "[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]", + "equals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/ipConfiguration", + "exists": false + }, + { + "value": "[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]", + "equals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/publicIPPrefix", + "exists": false + }, + { + "value": "[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json new file mode 100644 index 00000000..0e006b85 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json @@ -0,0 +1,57 @@ +{ + "name": "Audit-ServerFarms-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Unused App Service plans driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + { + "field": "Microsoft.Web/serverFarms/sku.tier", + "notEquals": "Free" + }, + { + "field": "Microsoft.Web/serverFarms/numberOfSites", + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json new file mode 100644 index 00000000..1b072d72 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-AA-child-resources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "No child resources in Automation Account", + "description": "This policy denies the creation of child resources on the Automation Account", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/variables", + "Microsoft.Automation/automationAccounts/modules", + "Microsoft.Automation/automationAccounts/credentials", + "Microsoft.Automation/automationAccounts/connections", + "Microsoft.Automation/automationAccounts/certificates" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json new file mode 100644 index 00000000..734e7996 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Application Gateway should be deployed with WAF enabled", + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "field": "Microsoft.Network/applicationGateways/sku.name", + "notequals": "WAF_v2" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json new file mode 100644 index 00000000..52ebe3c0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceApiApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "API App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json new file mode 100644 index 00000000..8a83e5d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceFunctionApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Function App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "functionapp*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json new file mode 100644 index 00000000..d72db789 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceWebApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Web Application should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "app*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json new file mode 100644 index 00000000..0030e2af --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-NoPublicIp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public IPs for Databricks cluster", + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", + "notEquals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json new file mode 100644 index 00000000..8e404a8a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-Sku", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny non-premium Databricks sku", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/sku.name", + "notEquals": "premium" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json new file mode 100644 index 00000000..7042d3a7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-Databricks-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny Databricks workspaces without Vnet injection", + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", + "exists": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json new file mode 100644 index 00000000..98ab40e1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-FileServices-InsecureAuth", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure authentication methods should be denied", + "description": "This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedAuthMethods": { + "type": "String", + "defaultValue": "NTLMv2", + "allowedValues": [ + "NTLMv2", + "Kerberos" + ], + "metadata": { + "displayName": "Authentication methods supported by server. Valid values are NTLMv2, Kerberos.", + "description": "The list of channelEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods", + "contains": "[parameters('notAllowedAuthMethods')]" + }, + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json new file mode 100644 index 00000000..54f7a9bf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-FileServices-InsecureKerberos", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure Kerberos ticket encryption should be denied", + "description": "This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedKerberosTicketEncryption": { + "type": "String", + "defaultValue": "RC4-HMAC", + "allowedValues": [ + "RC4-HMAC", + "AES-256" + ], + "metadata": { + "displayName": "Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.", + "description": "The list of kerberosTicketEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.kerberosTicketEncryption", + "contains": "[parameters('notAllowedKerberosTicketEncryption')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json new file mode 100644 index 00000000..572cc025 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-FileServices-InsecureSmbChannel", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure SMB channel encryption should be denied", + "description": "This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedChannelEncryption": { + "type": "String", + "defaultValue": "AES-128-CCM", + "allowedValues": [ + "AES-128-CCM", + "AES-128-GCM", + "AES-256-GCM" + ], + "metadata": { + "displayName": "SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.", + "description": "The list of channelEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption", + "contains": "[parameters('notAllowedChannelEncryption')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json new file mode 100644 index 00000000..4f404699 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json @@ -0,0 +1,69 @@ +{ + "name": "Deny-FileServices-InsecureSmbVersions", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure SMB versions should be denied", + "description": "This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "allowedSmbVersion": { + "type": "String", + "defaultValue": "SMB3.1.1", + "allowedValues": [ + "SMB2.1", + "SMB3.0", + "SMB3.1.1" + ], + "metadata": { + "displayName": "Allowed SMB Version", + "description": "The allowed SMB version for maximum security" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "not": { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions", + "contains": "[parameters('allowedSmbVersion')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json new file mode 100644 index 00000000..49ce3ee7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-Aks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny AKS cluster creation in Azure Machine Learning", + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AKS" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json new file mode 100644 index 00000000..bec5271b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-MachineLearning-Compute-SubnetId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json new file mode 100644 index 00000000..3574f722 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json @@ -0,0 +1,148 @@ +{ + "name": "Deny-MachineLearning-Compute-VmSize", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "allowedVmSizes": { + "type": "Array", + "metadata": { + "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", + "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" + }, + "defaultValue": [ + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_DS1_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M32-8ms", + "Standard_M32-16ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64s", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128ms", + "Standard_M128s", + "Standard_M64", + "Standard_M64m", + "Standard_M128", + "Standard_M128m", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_DS15_v2", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24rs", + "Standard_ND24s", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24rs_v2", + "Standard_NC24s_v2", + "Standard_ND40rs_v2", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", + "notIn": "[parameters('allowedVmSizes')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json new file mode 100644 index 00000000..32bd4269 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny public access of Azure Machine Learning clusters via SSH", + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "metadata": { + "version": "1.1.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json new file mode 100644 index 00000000..3e285514 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json @@ -0,0 +1,92 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce scale settings for Azure Machine Learning compute clusters", + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "maxNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Count", + "description": "Specifies the maximum node count of AML Clusters" + }, + "defaultValue": 10 + }, + "minNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Node Count", + "description": "Specifies the minimum node count of AML Clusters" + }, + "defaultValue": 0 + }, + "maxNodeIdleTimeInSecondsBeforeScaleDown": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", + "description": "Specifies the maximum node idle time in seconds before scaledown" + }, + "defaultValue": 900 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", + "greater": "[parameters('maxNodeCount')]" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", + "greater": "[parameters('minNodeCount')]" + }, + { + "value": "[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", + "greater": "[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json new file mode 100644 index 00000000..f7e0aa88 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-HbiWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforces high business impact Azure Machine Learning Workspaces", + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json new file mode 100644 index 00000000..6cb2c16a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public access behind vnet to Azure Machine Learning workspace", + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.1", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json new file mode 100644 index 00000000..c31c8140 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json @@ -0,0 +1,53 @@ +{ + "name": "Deny-MachineLearning-PublicNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access", + "description": "Denies public network access for Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json new file mode 100644 index 00000000..86e8a847 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json @@ -0,0 +1,254 @@ +{ + "name": "Deny-MgmtPorts-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Management port access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows management port access from the Internet", + "metadata": { + "version": "2.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ports": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "in": "[parameters('ports')]" + }, + { + "count": { + "value": "[parameters('ports')]", + "where": { + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notIn": "[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "in": "[parameters('ports')]" + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notIn": "[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json new file mode 100644 index 00000000..a8da0438 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-MySql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "MySQL database servers enforce SSL connections.", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json new file mode 100644 index 00000000..fb396d6a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-PostgreSql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL database servers enforce SSL connection.", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json new file mode 100644 index 00000000..643df1d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny the creation of private DNS", + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json new file mode 100644 index 00000000..eea5b4fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json @@ -0,0 +1,55 @@ +{ + "name": "Deny-PublicEndpoint-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Public network access should be disabled for MariaDB", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "metadata": { + "version": "1.0.0-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json new file mode 100644 index 00000000..7c8acd8e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json @@ -0,0 +1,47 @@ +{ + "name": "Deny-PublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deny the creation of public IP", + "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json new file mode 100644 index 00000000..a4efda10 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json @@ -0,0 +1,125 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "[Deprecated] RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superceded by new custom ALZ policy 'Deny-MgmtPorts-From-Internet'.", + "metadata": { + "deprecated": true, + "version": "1.0.1-deprecated", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json new file mode 100644 index 00000000..73d491ad --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Redis-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis only secure connections should be enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "description": "Select minimum TLS version for Azure Cache for Redis." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + }, + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json new file mode 100644 index 00000000..f859443e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Sql-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json new file mode 100644 index 00000000..951d1ac1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json new file mode 100644 index 00000000..9e3cc66e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-Storage-SFTP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Accounts with SFTP enabled should be denied", + "description": "This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "Microsoft.Storage/storageAccounts/isSftpEnabled", + "equals": "true" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json new file mode 100644 index 00000000..5b10d486 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json @@ -0,0 +1,91 @@ +{ + "name": "Deny-Storage-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[requestContext().apiVersion]", + "less": "2019-04-01" + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "exists": "false" + } + ] + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json new file mode 100644 index 00000000..d49e0339 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-StorageAccount-CustomDomain", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts with custom domains assigned should be denied", + "description": "This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/customDomain", + "exists": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/customDomain.useSubDomainName", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json new file mode 100644 index 00000000..73ec47e2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json @@ -0,0 +1,100 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a Network Security Group", + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json new file mode 100644 index 00000000..df42479e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json @@ -0,0 +1,101 @@ +{ + "name": "Deny-Subnet-Without-Penp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets without Private Endpoint Network Policies enabled should be denied", + "description": "This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies", + "notEquals": "Enabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json new file mode 100644 index 00000000..7bc81d04 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json @@ -0,0 +1,98 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a User Defined Route", + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json new file mode 100644 index 00000000..fecf3c36 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json @@ -0,0 +1,87 @@ +{ + "name": "Deny-UDR-With-Specific-NextHop", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied", + "description": "This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedDestinations": { + "type": "Array", + "metadata": { + "displayName": "Excluded Destinations", + "description": "Array of route destinations that are to be denied" + }, + "defaultValue": [ + "Internet", + "VirtualNetworkGateway" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/routeTables", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "field": "Microsoft.Network/routeTables/routes[*].nextHopType", + "in": "[parameters('excludedDestinations')]" + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables/routes" + }, + { + "field": "Microsoft.Network/routeTables/routes/nextHopType", + "in": "[parameters('excludedDestinations')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json new file mode 100644 index 00000000..d9d6dd82 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-VNET-Peer-Cross-Sub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering cross subscription.", + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notcontains": "[subscription().id]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json new file mode 100644 index 00000000..e7f4e9fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json @@ -0,0 +1,88 @@ +{ + "name": "Deny-VNET-Peering-To-Non-Approved-VNETs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering to non-approved vNets", + "description": "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "exists": false + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json new file mode 100644 index 00000000..bf1536fe --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-VNet-Peering", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering ", + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json new file mode 100644 index 00000000..fc32cb2b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json @@ -0,0 +1,155 @@ +{ + "name": "Deploy-ASC-SecurityContacts", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Microsoft Defender for Cloud Security Contacts", + "description": "Deploy Microsoft Defender for Cloud Security Contacts", + "metadata": { + "version": "1.1.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalSeverity": { + "type": "string", + "defaultValue": "High", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/securityContacts", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/email", + "contains": "[parameters('emailSecurityContact')]" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity", + "contains": "[parameters('minimalSeverity')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/securityContacts" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications", + "equals": "On" + }, + { + "field": "Microsoft.Security/securityContacts/alertsToAdmins", + "equals": "On" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[parameters('minimalSeverity')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Security contacts email address" + } + }, + "minimalSeverity": { + "type": "string", + "metadata": { + "description": "Minimal severity level reported" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/securityContacts", + "name": "default", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "[parameters('emailSecurityContact')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "[parameters('minimalSeverity')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json new file mode 100644 index 00000000..127bdb0f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json @@ -0,0 +1,238 @@ +{ + "name": "Deploy-Budget", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy a default budget on all subscriptions under the assigned scope", + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "metadata": { + "version": "1.1.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "description": "Enable or disable the execution of the policy" + } + }, + "budgetName": { + "type": "String", + "defaultValue": "budget-set-by-policy", + "metadata": { + "description": "The name for the budget to be created" + } + }, + "amount": { + "type": "String", + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget" + } + }, + "timeGrain": { + "type": "String", + "defaultValue": "Monthly", + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain." + } + }, + "firstThreshold": { + "type": "String", + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "secondThreshold": { + "type": "String", + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "contactRoles": { + "type": "Array", + "defaultValue": [ + "Owner", + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactEmails": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactGroups": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Consumption/budgets", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Consumption/budgets/amount", + "equals": "[parameters('amount')]" + }, + { + "field": "Microsoft.Consumption/budgets/timeGrain", + "equals": "[parameters('timeGrain')]" + }, + { + "field": "Microsoft.Consumption/budgets/category", + "equals": "Cost" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "budgetName": { + "value": "[parameters('budgetName')]" + }, + "amount": { + "value": "[parameters('amount')]" + }, + "timeGrain": { + "value": "[parameters('timeGrain')]" + }, + "firstThreshold": { + "value": "[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[parameters('secondThreshold')]" + }, + "contactEmails": { + "value": "[parameters('contactEmails')]" + }, + "contactRoles": { + "value": "[parameters('contactRoles')]" + }, + "contactGroups": { + "value": "[parameters('contactGroups')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "budgetName": { + "type": "String" + }, + "amount": { + "type": "String" + }, + "timeGrain": { + "type": "String" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "contactGroups": { + "type": "Array" + }, + "startDate": { + "type": "String", + "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Consumption/budgets", + "apiVersion": "2019-10-01", + "name": "[parameters('budgetName')]", + "properties": { + "timePeriod": { + "startDate": "[parameters('startDate')]" + }, + "timeGrain": "[parameters('timeGrain')]", + "amount": "[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + }, + "NotificationForExceededBudget2": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('secondThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + } + } + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json new file mode 100644 index 00000000..29bef0fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Custom-Route-Table", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy a route table with specific user defined routes", + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "requiredRoutes": { + "type": "Array", + "metadata": { + "displayName": "requiredRoutes", + "description": "Routes that must exist in compliant route tables deployed by this policy" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "vnetRegion", + "description": "Only VNets in this region will be evaluated against this policy" + } + }, + "routeTableName": { + "type": "String", + "metadata": { + "displayName": "routeTableName", + "description": "Name of the route table automatically deployed by this policy" + } + }, + "disableBgpPropagation": { + "type": "Boolean", + "metadata": { + "displayName": "DisableBgpPropagation", + "description": "Disable BGP Propagation" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "existenceCondition": { + "allOf": [ + { + "field": "name", + "equals": "[parameters('routeTableName')]" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "value": "[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]", + "in": "[parameters('requiredRoutes')]" + } + }, + "equals": "[length(parameters('requiredRoutes'))]" + } + ] + }, + "roleDefinitionIds": [ + "/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "variables": { + "copyLoop": [ + { + "name": "routes", + "count": "[[length(parameters('requiredRoutes'))]", + "input": { + "name": "[[concat('route-',copyIndex('routes'))]", + "properties": { + "addressPrefix": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]", + "nextHopType": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]", + "nextHopIpAddress": "[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]" + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "routeTableDepl", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2021-02-01", + "name": "[[parameters('routeTableName')]", + "location": "[[parameters('vnetRegion')]", + "properties": { + "disableBgpRoutePropagation": "[[parameters('disableBgpPropagation')]", + "copy": "[variables('copyLoop')]" + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json new file mode 100644 index 00000000..85255130 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json @@ -0,0 +1,150 @@ +{ + "name": "Deploy-DDoSProtection", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy an Azure DDoS Network Protection", + "description": "Deploys an Azure DDoS Network Protection", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "ddosName": { + "type": "String", + "metadata": { + "displayName": "ddosName", + "description": "DDoSVnet" + } + }, + "ddosRegion": { + "type": "String", + "metadata": { + "displayName": "ddosRegion", + "description": "DDoSVnet location", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/ddosProtectionPlans", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "name": "[parameters('ddosName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "ddosname": { + "value": "[parameters('ddosname')]" + }, + "ddosregion": { + "value": "[parameters('ddosRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "ddosname": { + "type": "String" + }, + "ddosRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "ddosprotection", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-12-01", + "name": "[parameters('ddosName')]", + "location": "[parameters('ddosRegion')]", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json new file mode 100644 index 00000000..fee8ee21 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json @@ -0,0 +1,201 @@ +{ + "name": "Deploy-Diagnostics-AA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "JobLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobStreams", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DscNodeStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AuditEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json new file mode 100644 index 00000000..2ab193db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-ACI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerInstance/containerGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json new file mode 100644 index 00000000..fac00d21 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-ACR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ContainerRegistryLoginEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ContainerRegistryRepositoryEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json new file mode 100644 index 00000000..9ffe6405 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json @@ -0,0 +1,212 @@ +{ + "name": "Deploy-Diagnostics-APIMgmt", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "logAnalyticsDestinationType": { + "type": "String", + "metadata": { + "displayName": "Log Analytics destination type", + "description": "Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'" + }, + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ] + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "logAnalyticsDestinationType": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "WebSocketConnectionLogs", + "enabled": "[parameters('logsEnabled')]" + } + ], + "logAnalyticsDestinationType": "[parameters('logAnalyticsDestinationType')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[parameters('logAnalyticsDestinationType')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json new file mode 100644 index 00000000..631957ec --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Diagnostics-AVDScalingPlans", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json new file mode 100644 index 00000000..0b699182 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-AnalysisService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Service", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json new file mode 100644 index 00000000..3c43b2d8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ApiForFHIR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json new file mode 100644 index 00000000..4362a337 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-ApplicationGateway", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json new file mode 100644 index 00000000..8958c29e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Bastion", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json new file mode 100644 index 00000000..618a4d6b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-CDNEndpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "CoreAnalytics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json new file mode 100644 index 00000000..fbf8a0e5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-CognitiveServices", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RequestResponse", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Trace", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json new file mode 100644 index 00000000..7979a23c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json @@ -0,0 +1,217 @@ +{ + "name": "Deploy-Diagnostics-CosmosDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MongoRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyRUConsumption", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ControlPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "CassandraRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "GremlinRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json new file mode 100644 index 00000000..43e223d8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-DLAnalytics", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeAnalytics/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Requests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json new file mode 100644 index 00000000..8faad53c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Diagnostics-DataExplorerCluster", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "SucceededIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FailedIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IngestionBatching", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Command", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Query", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableUsageStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableDetails", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json new file mode 100644 index 00000000..fe5aa77e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json @@ -0,0 +1,229 @@ +{ + "name": "Deploy-Diagnostics-DataFactory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ActivityRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TriggerRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessages", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutableStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessageContext", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionComponentPhases", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionDataStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISIntegrationRuntimeLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SandboxPipelineRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SandboxActivityRuns", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json new file mode 100644 index 00000000..b93b48b6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json @@ -0,0 +1,272 @@ +{ + "name": "Deploy-Diagnostics-Databricks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.3.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "dbfs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clusters", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "accounts", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "jobs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "notebook", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ssh", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "workspace", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "secrets", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "sqlPermissions", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "instancePools", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "sqlanalytics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "genie", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "globalInitScripts", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "iamRole", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "mlflowExperiment", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "featureStore", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RemoteHistoryService", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "mlflowAcledArtifact", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "databrickssql", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "deltaPipelines", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "modelRegistry", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "repos", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "unityCatalog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "gitCredentials", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "webTerminal", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "serverlessRealTimeInference", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clusterLibraries", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "partnerHub", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clamAVScan", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "capsule8Dataplane", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json new file mode 100644 index 00000000..c77b4eb3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-EventGridSub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/eventSubscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json new file mode 100644 index 00000000..51ed84ae --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json new file mode 100644 index 00000000..5990ef97 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-EventGridTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PublishFailures", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json new file mode 100644 index 00000000..25aa3628 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ExpressRoute", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PeeringRouteLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json new file mode 100644 index 00000000..01d780d7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json @@ -0,0 +1,264 @@ +{ + "name": "Deploy-Diagnostics-Firewall", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "logAnalyticsDestinationType": { + "type": "String", + "metadata": { + "displayName": "Log Analytics destination type", + "description": "Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'" + }, + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ] + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "logAnalyticsDestinationType": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logAnalyticsDestinationType": "[parameters('logAnalyticsDestinationType')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWThreatIntel", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWIdpsSignature", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWDnsQuery", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFqdnResolveFailure", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFatFlow", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFlowTrace", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[parameters('logAnalyticsDestinationType')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json new file mode 100644 index 00000000..d7fa9f3c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-FrontDoor", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FrontdoorAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FrontdoorWebApplicationFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json new file mode 100644 index 00000000..bcde0b94 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-Function", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json new file mode 100644 index 00000000..b2a779ec --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-HDInsight", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HDInsight/clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json new file mode 100644 index 00000000..69898554 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-LoadBalancer", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "LoadBalancerAlertEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "LoadBalancerProbeHealthStatus", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json new file mode 100644 index 00000000..bf6d6c29 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-LogAnalytics", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "microsoft.operationalinsights/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "microsoft.operationalinsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json new file mode 100644 index 00000000..1d562829 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-LogicAppsISE", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "IntegrationAccountTrackingEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json new file mode 100644 index 00000000..773ef7fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json new file mode 100644 index 00000000..c98506e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-MediaService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Media/mediaServices" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Media/mediaServices/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "KeyDeliveryRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json new file mode 100644 index 00000000..6df9c247 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json @@ -0,0 +1,288 @@ +{ + "name": "Deploy-Diagnostics-MlWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeJobEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsActionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ComputeInstanceEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentReadEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json new file mode 100644 index 00000000..1048f2fa --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MySQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json new file mode 100644 index 00000000..daca6b48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NIC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkInterfaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json new file mode 100644 index 00000000..e7843361 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json new file mode 100644 index 00000000..82b1ba70 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json @@ -0,0 +1,240 @@ +{ + "name": "Deploy-Diagnostics-PostgreSQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "2.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "resourceType": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "condition": "[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]", + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + }, + { + "condition": "[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]", + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "resourceType": { + "value": "[field('type')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json new file mode 100644 index 00000000..e3988dbf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json new file mode 100644 index 00000000..44f70db1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-RedisCache", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cache/redis/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json new file mode 100644 index 00000000..f8595c85 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Relay", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "HybridConnectionsEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json new file mode 100644 index 00000000..2cf6fe69 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-SQLElasticPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/elasticPools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json new file mode 100644 index 00000000..d838026c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-SQLMI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "ResourceUsageStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json new file mode 100644 index 00000000..e9a395c1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json @@ -0,0 +1,185 @@ +{ + "name": "Deploy-Diagnostics-SignalR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.SignalRService/SignalR" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AllLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json new file mode 100644 index 00000000..ca3dfcc2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Ingress", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json new file mode 100644 index 00000000..2bd6593b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-TrafficManager", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ProbeHealthStatusEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json new file mode 100644 index 00000000..fe19ea18 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VM", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json new file mode 100644 index 00000000..3adea471 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VMSS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json new file mode 100644 index 00000000..ac9bd97f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json @@ -0,0 +1,205 @@ +{ + "name": "Deploy-Diagnostics-VNetGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworkGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "P2SDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json new file mode 100644 index 00000000..6d51b752 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json @@ -0,0 +1,201 @@ +{ + "name": "Deploy-Diagnostics-VWanS2SVPNGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/vpnGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/vpnGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json new file mode 100644 index 00000000..9dbde3a3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json @@ -0,0 +1,188 @@ +{ + "name": "Deploy-Diagnostics-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json new file mode 100644 index 00000000..5db3014d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-WVDAppGroup", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json new file mode 100644 index 00000000..213d020c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json @@ -0,0 +1,188 @@ +{ + "name": "Deploy-Diagnostics-WVDHostPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.3.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Connection", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "HostRegistration", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AgentHealthStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkData", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SessionHostManagement", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ConnectionGraphicsData", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json new file mode 100644 index 00000000..215102a4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json @@ -0,0 +1,168 @@ +{ + "name": "Deploy-Diagnostics-WVDWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Feed", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json new file mode 100644 index 00000000..ba52b224 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-WebServerFarm", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json new file mode 100644 index 00000000..af682e66 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json @@ -0,0 +1,266 @@ +{ + "name": "Deploy-Diagnostics-Website", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + }, + "serverFarmId": { + "type": "String" + } + }, + "variables": { + "logs": { + "premiumTierLogs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[parameters('logsEnabled')]" + } + ], + "otherTierLogs": [ + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": "[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]" + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "serverFarmId": { + "value": "[field('Microsoft.Web/sites/serverFarmId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json new file mode 100644 index 00000000..2ab78fb4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json @@ -0,0 +1,241 @@ +{ + "name": "Deploy-Diagnostics-iotHub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Devices/IotHubs" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Connections", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceTelemetry", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DCommands", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceIdentityOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FileUploadOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Routes", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "D2CTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TwinQueries", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobsOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DirectMethods", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DistributedTracing", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Configurations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceStreams", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json new file mode 100644 index 00000000..ede0b6cf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json @@ -0,0 +1,167 @@ +{ + "name": "Deploy-FirewallPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Azure Firewall Manager policy in the subscription", + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "fwpolicy": { + "type": "Object", + "metadata": { + "displayName": "fwpolicy", + "description": "Object describing Azure Firewall Policy" + }, + "defaultValue": {} + }, + "fwPolicyRegion": { + "type": "String", + "metadata": { + "displayName": "fwPolicyRegion", + "description": "Select Azure region for Azure Firewall Policy", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/firewallPolicies", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "fwPolicy": { + "value": "[parameters('fwPolicy')]" + }, + "fwPolicyRegion": { + "value": "[parameters('fwPolicyRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "fwPolicy": { + "type": "object" + }, + "fwPolicyRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "fwpolicies", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').firewallPolicyName]", + "location": "[parameters('fwpolicy').location]", + "dependsOn": [], + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "ruleGroups", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').ruleGroups.name]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]" + ], + "properties": { + "priority": "[parameters('fwpolicy').ruleGroups.properties.priority]", + "rules": "[parameters('fwpolicy').ruleGroups.properties.rules]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json new file mode 100644 index 00000000..7e7290ea --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-MySQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect minimum TLS version Azure Database for MySQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json new file mode 100644 index 00000000..055961f3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json @@ -0,0 +1,234 @@ +{ + "name": "Deploy-Nsg-FlowLogs-to-LA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period.", + "metadata": { + "deprecated": true, + "version": "1.1.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "interval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "workspace": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowlogs", + "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + } + ] + }, + "existenceScope": "resourceGroup", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "deploymentScope": "subscription", + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "location": { + "value": "[field('location')]" + }, + "networkSecurityGroup": { + "value": "[field('id')]" + }, + "workspace": { + "value": "[parameters('workspace')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "interval": { + "value": "[parameters('interval')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "workspace": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "interval": { + "type": "int" + }, + "time": { + "type": "String", + "defaultValue": "[utcNow()]" + } + }, + "variables": { + "resourceGroupName": "[split(parameters('networkSecurityGroup'), '/')[4]]", + "securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]", + "storageAccountName": "[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]", + "resourceGroup": "[variables('resourceGroupName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "properties": {}, + "kind": "StorageV2", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]", + "resourceGroup": "NetworkWatcherRG", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-05-01", + "name": "[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[parameters('location')]", + "properties": {}, + "resources": [ + { + "type": "flowLogs", + "apiVersion": "2019-11-01", + "name": "[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[parameters('location')]", + "properties": { + "enabled": true, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[parameters('retention')]", + "enabled": true + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "trafficAnalyticsInterval": "[parameters('interval')]", + "workspaceResourceId": "[parameters('workspace')]" + } + }, + "storageId": "[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "targetResourceId": "[parameters('networkSecurityGroup')]" + }, + "dependsOn": [ + "[concat('NetworkWatcher_', toLower(parameters('location')))]" + ] + } + ] + } + ] + } + }, + "dependsOn": [ + "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]" + ] + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json new file mode 100644 index 00000000..2a504dd4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "strongType": "Microsoft.Storage/storageAccounts" + } + }, + "trafficAnalyticsInterval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "flowAnalyticsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable Traffic Analytics" + }, + "defaultValue": false + }, + "logAnalytics": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "resourceGroupName": "NetworkWatcherRG", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[parameters('flowAnalyticsEnabled')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "networkSecurityGroupName": { + "value": "[field('name')]" + }, + "resourceGroupName": { + "value": "[resourceGroup().name]" + }, + "location": { + "value": "[field('location')]" + }, + "storageAccountResourceId": { + "value": "[parameters('storageAccountResourceId')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "flowAnalyticsEnabled": { + "value": "[parameters('flowAnalyticsEnabled')]" + }, + "trafficAnalyticsInterval": { + "value": "[parameters('trafficAnalyticsInterval')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "String" + }, + "resourceGroupName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "storageAccountResourceId": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "flowAnalyticsEnabled": { + "type": "bool" + }, + "trafficAnalyticsInterval": { + "type": "int" + }, + "logAnalytics": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "name": "[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]", + "location": "[parameters('location')]", + "properties": { + "targetResourceId": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[parameters('storageAccountResourceId')]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('retention')]" + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[parameters('trafficAnalyticsInterval')]", + "workspaceId": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]", + "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]" + } + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json new file mode 100644 index 00000000..d644cc23 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json @@ -0,0 +1,139 @@ +{ + "name": "Deploy-PostgreSQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Database for PostgreSQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notEquals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json new file mode 100644 index 00000000..07fa3ffb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SQL-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL servers deploys a specific min TLS version requirement.", + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2019-06-01-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json new file mode 100644 index 00000000..dba8a54d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-Sql-AuditingSettings", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "name": "default", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/state", + "equals": "enabled" + }, + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled", + "equals": "true" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2017-03-01-preview", + "properties": { + "state": "enabled", + "auditActionsAndGroups": [ + "BATCH_COMPLETED_GROUP", + "DATABASE_OBJECT_CHANGE_GROUP", + "SCHEMA_OBJECT_CHANGE_GROUP", + "BACKUP_RESTORE_GROUP", + "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP", + "DATABASE_PRINCIPAL_CHANGE_GROUP", + "DATABASE_PRINCIPAL_IMPERSONATION_GROUP", + "DATABASE_ROLE_MEMBER_CHANGE_GROUP", + "USER_CHANGE_PASSWORD_GROUP", + "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP", + "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP", + "DATABASE_PERMISSION_CHANGE_GROUP", + "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP", + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP" + ], + "isAzureMonitorTargetEnabled": true + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json new file mode 100644 index 00000000..bf77005b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json @@ -0,0 +1,123 @@ +{ + "name": "Deploy-Sql-SecurityAlertPolicies", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "metadata": { + "version": "1.1.1", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "emailAddresses": { + "type": "Array", + "defaultValue": [ + "admin@contoso.com", + "admin@fabrikam.com" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "emailAddresses": { + "type": "Array" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2018-06-01-preview", + "properties": { + "state": "Enabled", + "disabledAlerts": [ + "" + ], + "emailAddresses": "[parameters('emailAddresses')]", + "emailAccountAdmins": true, + "storageEndpoint": null, + "storageAccountAccessKey": "", + "retentionDays": 0 + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "emailAddresses": { + "value": "[parameters('emailAddresses')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json new file mode 100644 index 00000000..8415c4fa --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-Sql-Tde", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploy SQL Database Transparent Data Encryption", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html", + "metadata": { + "deprecated": true, + "version": "1.1.1-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "excludedDatabases": { + "type": "Array", + "metadata": { + "displayName": "Excluded Databases", + "description": "Array of databases that are excluded from this policy" + }, + "defaultValue": [ + "master", + "model", + "tempdb", + "msdb", + "resource" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + { + "field": "name", + "notIn": "[parameters('excludedDatabases')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/transparentDataEncryption.status", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]", + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "properties": { + "status": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json new file mode 100644 index 00000000..c7ecc25f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json @@ -0,0 +1,144 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-vulnerabilityAssessments_20230706", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'", + "displayName": "The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails", + "equals": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": [ + "[parameters('vulnerabilityAssessmentsEmail')]" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json new file mode 100644 index 00000000..08cb17fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json @@ -0,0 +1,147 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments_20230706", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Vulnerability Assessments", + "description": "Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-vulnerabilityAssessments", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "Array", + "metadata": { + "description": "The email address(es) to send alerts.", + "displayName": "The email address(es) to send alerts." + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]", + "where": { + "value": "current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])", + "notIn": "[parameters('vulnerabilityAssessmentsEmail')]" + } + }, + "greater": 0 + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": "[parameters('vulnerabilityAssessmentsEmail')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json new file mode 100644 index 00000000..237c536c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL managed instances deploy a specific min TLS version requirement.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/managedInstances", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2020-02-02-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json new file mode 100644 index 00000000..8835ff5e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-Storage-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", + "metadata": { + "version": "1.1.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Storage", + "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Select TLS version for Azure Storage server", + "description": "Select version minimum TLS version Azure STorage to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "notEquals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notEquals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "equals": "[parameters('minimumTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimumTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "[parameters('minimumTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimumTlsVersion": { + "value": "[parameters('minimumTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json new file mode 100644 index 00000000..76e21fcd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json @@ -0,0 +1,309 @@ +{ + "name": "Deploy-VNET-HubSpoke", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Virtual Network with peering to the hub", + "description": "This policy deploys virtual network and peer to the hub", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vNetName": { + "type": "String", + "metadata": { + "displayName": "vNetName", + "description": "Name of the landing zone vNet" + } + }, + "vNetRgName": { + "type": "String", + "metadata": { + "displayName": "vNetRgName", + "description": "Name of the landing zone vNet RG" + } + }, + "vNetLocation": { + "type": "String", + "metadata": { + "displayName": "vNetLocation", + "description": "Location for the vNet" + } + }, + "vNetCidrRange": { + "type": "String", + "metadata": { + "displayName": "vNetCidrRange", + "description": "CIDR Range for the vNet" + } + }, + "hubResourceId": { + "type": "String", + "metadata": { + "displayName": "hubResourceId", + "description": "Resource ID for the HUB vNet" + } + }, + "dnsServers": { + "type": "Array", + "metadata": { + "displayName": "DNSServers", + "description": "Default domain servers for the vNET." + }, + "defaultValue": [] + }, + "vNetPeerUseRemoteGateway": { + "type": "Boolean", + "metadata": { + "displayName": "vNetPeerUseRemoteGateway", + "description": "Enable gateway transit for the LZ network" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualNetworks", + "name": "[parameters('vNetName')]", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "ResourceGroupName": "[parameters('vNetRgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[parameters('vNetName')]" + }, + { + "field": "location", + "equals": "[parameters('vNetLocation')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "vNetRgName": { + "value": "[parameters('vNetRgName')]" + }, + "vNetName": { + "value": "[parameters('vNetName')]" + }, + "vNetLocation": { + "value": "[parameters('vNetLocation')]" + }, + "vNetCidrRange": { + "value": "[parameters('vNetCidrRange')]" + }, + "hubResourceId": { + "value": "[parameters('hubResourceId')]" + }, + "dnsServers": { + "value": "[parameters('dnsServers')]" + }, + "vNetPeerUseRemoteGateway": { + "value": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "String" + }, + "vNetName": { + "type": "String" + }, + "vNetLocation": { + "type": "String" + }, + "vNetCidrRange": { + "type": "String" + }, + "vNetPeerUseRemoteGateway": { + "type": "bool", + "defaultValue": false + }, + "hubResourceId": { + "type": "String" + }, + "dnsServers": { + "type": "Array", + "defaultValue": [] + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2021-04-01", + "name": "[parameters('vNetRgName')]", + "location": "[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "dependsOn": [ + "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-02-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[parameters('dnsServers')]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2021-02-01", + "name": "[concat(parameters('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "subscriptionId": "[split(parameters('hubResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('hubResourceId'),'/')[4]]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "String", + "defaultValue": false + }, + "hubName": { + "type": "String", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2021-02-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "hubName": { + "value": "[split(parameters('hubResourceId'),'/')[8]]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[parameters('vNetRgName')]" + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json new file mode 100644 index 00000000..c79b58d2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Vm-autoShutdown", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Virtual Machine Auto Shutdown Schedule", + "description": "Deploys an auto shutdown schedule to a virtual machine", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "time": { + "type": "String", + "metadata": { + "displayName": "Scheduled Shutdown Time", + "description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM" + }, + "defaultValue": "0000" + }, + "timeZoneId": { + "type": "string", + "defaultValue": "UTC", + "metadata": { + "displayName": "Time zone", + "description": "The time zone ID (e.g. Pacific Standard time)." + } + }, + "EnableNotification": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "displayName": "Send Notification before auto-shutdown", + "description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)." + }, + "allowedValues": [ + "Disabled", + "Enabled" + ] + }, + "NotificationEmailRecipient": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Email Address", + "description": "Email address to be used for notification" + } + }, + "NotificationWebhookUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Webhook URL", + "description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen." + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.DevTestLab/schedules", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DevTestLab/schedules/taskType", + "equals": "ComputeVmShutdownTask" + }, + { + "field": "Microsoft.DevTestLab/schedules/targetResourceId", + "equals": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "time": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM" + } + }, + "timeZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The time zone ID (e.g. Pacific Standard time)." + } + }, + "EnableNotification": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)." + } + }, + "NotificationEmailRecipient": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to be used for notification" + } + }, + "NotificationWebhookUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen." + } + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat('shutdown-computevm-',parameters('vmName'))]", + "type": "Microsoft.DevTestLab/schedules", + "location": "[parameters('location')]", + "apiVersion": "2018-09-15", + "properties": { + "status": "Enabled", + "taskType": "ComputeVmShutdownTask", + "dailyRecurrence": { + "time": "[parameters('time')]" + }, + "timeZoneId": "[parameters('timeZoneId')]", + "notificationSettings": { + "status": "[parameters('EnableNotification')]", + "timeInMinutes": 30, + "webhookUrl": "[parameters('NotificationWebhookUrl')]", + "emailRecipient": "[parameters('NotificationEmailRecipient')]", + "notificationLocale": "en" + }, + "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + } + } + ], + "outputs": {} + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "time": { + "value": "[parameters('time')]" + }, + "timeZoneId": { + "value": "[parameters('timeZoneId')]" + }, + "EnableNotification": { + "value": "[parameters('EnableNotification')]" + }, + "NotificationEmailRecipient": { + "value": "[parameters('NotificationEmailRecipient')]" + }, + "NotificationWebhookUrl": { + "value": "[parameters('NotificationWebhookUrl')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json new file mode 100644 index 00000000..6e7244f0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json @@ -0,0 +1,261 @@ +{ + "name": "Deploy-Windows-DomainJoin", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Windows Domain Join Extension with keyvault configuration", + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "domainUsername": { + "type": "String", + "metadata": { + "displayName": "domainUsername" + } + }, + "domainPassword": { + "type": "String", + "metadata": { + "displayName": "domainPassword" + } + }, + "domainFQDN": { + "type": "String", + "metadata": { + "displayName": "domainFQDN" + } + }, + "domainOUPath": { + "type": "String", + "metadata": { + "displayName": "domainOUPath" + } + }, + "keyVaultResourceId": { + "type": "String", + "metadata": { + "displayName": "keyVaultResourceId" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2008-R2-SP1-zhcn", + "2012-Datacenter", + "2012-datacenter-gensecond", + "2012-Datacenter-smalldisk", + "2012-datacenter-smalldisk-g2", + "2012-Datacenter-zhcn", + "2012-datacenter-zhcn-g2", + "2012-R2-Datacenter", + "2012-r2-datacenter-gensecond", + "2012-R2-Datacenter-smalldisk", + "2012-r2-datacenter-smalldisk-g2", + "2012-R2-Datacenter-zhcn", + "2012-r2-datacenter-zhcn-g2", + "2016-Datacenter", + "2016-datacenter-gensecond", + "2016-datacenter-gs", + "2016-Datacenter-Server-Core", + "2016-datacenter-server-core-g2", + "2016-Datacenter-Server-Core-smalldisk", + "2016-datacenter-server-core-smalldisk-g2", + "2016-Datacenter-smalldisk", + "2016-datacenter-smalldisk-g2", + "2016-Datacenter-with-Containers", + "2016-datacenter-with-containers-g2", + "2016-Datacenter-with-RDSH", + "2016-Datacenter-zhcn", + "2016-datacenter-zhcn-g2", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-datacenter-core-g2", + "2019-Datacenter-Core-smalldisk", + "2019-datacenter-core-smalldisk-g2", + "2019-Datacenter-Core-with-Containers", + "2019-datacenter-core-with-containers-g2", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-datacenter-core-with-containers-smalldisk-g2", + "2019-datacenter-gensecond", + "2019-datacenter-gs", + "2019-Datacenter-smalldisk", + "2019-datacenter-smalldisk-g2", + "2019-Datacenter-with-Containers", + "2019-datacenter-with-containers-g2", + "2019-Datacenter-with-Containers-smalldisk", + "2019-datacenter-with-containers-smalldisk-g2", + "2019-Datacenter-zhcn", + "2019-datacenter-zhcn-g2", + "Datacenter-Core-1803-with-Containers-smalldisk", + "datacenter-core-1803-with-containers-smalldisk-g2", + "Datacenter-Core-1809-with-Containers-smalldisk", + "datacenter-core-1809-with-containers-smalldisk-g2", + "Datacenter-Core-1903-with-Containers-smalldisk", + "datacenter-core-1903-with-containers-smalldisk-g2", + "datacenter-core-1909-with-containers-smalldisk", + "datacenter-core-1909-with-containers-smalldisk-g1", + "datacenter-core-1909-with-containers-smalldisk-g2" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "JsonADDomainExtension" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Compute" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "domainUsername": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainUsername')]" + } + }, + "domainPassword": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainPassword')]" + } + }, + "domainOUPath": { + "value": "[parameters('domainOUPath')]" + }, + "domainFQDN": { + "value": "[parameters('domainFQDN')]" + }, + "keyVaultResourceId": { + "value": "[parameters('keyVaultResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "domainUsername": { + "type": "String" + }, + "domainPassword": { + "type": "securestring" + }, + "domainFQDN": { + "type": "String" + }, + "domainOUPath": { + "type": "String" + }, + "keyVaultResourceId": { + "type": "String" + } + }, + "variables": { + "domainJoinOptions": 3, + "vmName": "[parameters('vmName')]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(variables('vmName'),'/joindomain')]", + "location": "[resourceGroup().location]", + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[parameters('domainFQDN')]", + "User": "[parameters('domainUserName')]", + "Restart": "true", + "Options": "[variables('domainJoinOptions')]", + "OUPath": "[parameters('domainOUPath')]" + }, + "protectedSettings": { + "Password": "[parameters('domainPassword')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json new file mode 100644 index 00000000..0b8a02ac --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json @@ -0,0 +1,102 @@ +{ + "name": "Audit-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Unused resources driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", + "metadata": { + "version": "2.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effectDisks": { + "type": "String", + "metadata": { + "displayName": "Disks Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Compute/disks" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectPublicIpAddresses": { + "type": "String", + "metadata": { + "displayName": "PublicIpAddresses Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectServerFarms": { + "type": "String", + "metadata": { + "displayName": "ServerFarms Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Web/serverfarms" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AuditDisksUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectDisks')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectPublicIpAddresses')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectServerFarms')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditAzureHybridBenefitUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit", + "parameters": { + "effect": { + "value": "Audit" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json new file mode 100644 index 00000000..c76abd51 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json @@ -0,0 +1,30 @@ +{ + "AuditAzureHybridBenefitUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "Audit" + } + } + }, + "AuditDisksUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "[[parameters('effectDisks')]" + } + } + }, + "AuditPublicIpAddressesUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "[[parameters('effectPublicIpAddresses')]" + } + } + }, + "AuditServerFarmsUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "[[parameters('effectServerFarms')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json new file mode 100644 index 00000000..c97e68d4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json @@ -0,0 +1,483 @@ +{ + "name": "Deny-PublicPaaSEndpoints", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "metadata": { + "version": "3.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MariaDbPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure MariaDB", + "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MlPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Machine Learning", + "description": "This policy denies creation of Azure Machine Learning with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "RedisCachePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Cache for Redis", + "description": "This policy denies creation of Azure Cache for Redis with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BotServicePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Bot Service", + "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AutomationPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Automation accounts", + "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AppConfigPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Configuration", + "description": "This policy denies creation of App Configuration with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "FunctionPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service Environment apps", + "description": "This policy denies creation of App Service Environment apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service apps", + "description": "This policy denies creation of App Service apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ApiManPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for API Management services", + "description": "This policy denies creation of API Management services with exposed public endpoints" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDbDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "parameters": { + "effect": { + "value": "[[parameters('MlPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", + "parameters": { + "effect": { + "value": "[[parameters('RedisCachePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BotServiceDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", + "parameters": { + "effect": { + "value": "[[parameters('BotServicePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "parameters": { + "effect": { + "value": "[[parameters('AutomationPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppConfigDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", + "parameters": { + "effect": { + "value": "[[parameters('AppConfigPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", + "parameters": { + "effect": { + "value": "[[parameters('FunctionPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AseDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", + "parameters": { + "effect": { + "value": "[[parameters('AsePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", + "parameters": { + "effect": { + "value": "[[parameters('AsPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApiManDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "parameters": { + "effect": { + "value": "[[parameters('ApiManPublicIpDenyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json new file mode 100644 index 00000000..46e51dd7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json @@ -0,0 +1,142 @@ +{ + "ACRDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + } + }, + "AFSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + } + }, + "AKSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + } + }, + "ApiManDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('ApiManPublicIpDenyEffect')]" + } + } + }, + "AppConfigDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AppConfigPublicIpDenyEffect')]" + } + } + }, + "AsDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AsPublicIpDenyEffect')]" + } + } + }, + "AseDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AsePublicIpDenyEffect')]" + } + } + }, + "AutomationDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AutomationPublicIpDenyEffect')]" + } + } + }, + "BatchDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + } + }, + "BotServiceDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('BotServicePublicIpDenyEffect')]" + } + } + }, + "CosmosDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + } + }, + "FunctionDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionPublicIpDenyEffect')]" + } + } + }, + "KeyVaultDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + } + }, + "MariaDbDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + } + }, + "MlDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MlPublicIpDenyEffect')]" + } + } + }, + "MySQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + } + }, + "PostgreSQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + } + }, + "RedisCacheDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('RedisCachePublicIpDenyEffect')]" + } + } + }, + "SqlServerDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + } + }, + "StorageDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json new file mode 100644 index 00000000..4a121b9c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json @@ -0,0 +1,1970 @@ +{ + "name": "Deploy-Diagnostics-LogAnalytics", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "metadata": { + "version": "2.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "logAnalytics": { + "metadata": { + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics workspace", + "strongType": "omsWorkspace" + }, + "type": "String" + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "ACILogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled." + } + }, + "ACRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled." + } + }, + "AKSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AnalysisServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIforFHIRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsDestinationType": { + "type": "String", + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "metadata": { + "displayName": "Destination table for the Diagnostic Setting for API Management to Log Analytics workspace", + "description": "Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'" + } + }, + "ApplicationGatewayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AutomationLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BastionLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BatchLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CDNEndpointsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CognitiveServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CosmosLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DatabricksLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataExplorerClusterLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataFactoryLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeStoreLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridSubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventSystemTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ExpressRouteLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsDestinationType": { + "type": "String", + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "metadata": { + "displayName": "Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace", + "description": "Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'" + } + }, + "FrontDoorLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FunctionAppLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "HDInsightLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "IotHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "KeyVaultLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LoadBalancerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled" + } + }, + "LogicAppsISELogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsWFLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MariaDBLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MediaServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MlWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MySQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkSecurityGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkNICLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PostgreSQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PowerBIEmbeddedLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkPublicIPNicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RedisCacheLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RelayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SearchServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SignalRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLDBsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLElasticPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLMLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StreamAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TimeSeriesInsightsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TrafficManagerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualNetworkLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualMachinesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VMSSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VNetGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AppServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AppServiceWebappLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AVDScalingPlansLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDAppGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDHostPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StorageAccountsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VWanS2SVPNGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "StorageAccountDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('APIMgmtLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('FirewallLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json new file mode 100644 index 00000000..86f6c96f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json @@ -0,0 +1,918 @@ +{ + "ACIDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ACRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AKSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIforFHIRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIMgmtDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('APIMgmtLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AutomationDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BastionDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BatchDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CosmosDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DatabricksDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataFactoryDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridSubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ExpressRouteDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FirewallDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('FirewallLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FrontDoorDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FunctionAppDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "HDInsightDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "IotHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "KeyVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LoadBalancerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MariaDBDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MediaServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MySQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkNICDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + } + }, + "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PostgreSQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RedisCacheDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RelayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SearchServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ServiceBusDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SignalRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLMDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TrafficManagerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VMSSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VNetGWDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json new file mode 100644 index 00000000..b3c58776 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json @@ -0,0 +1,441 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "5.0.1", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForDns": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "default", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForDns", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForApis", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForApis')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json new file mode 100644 index 00000000..b8720858 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json @@ -0,0 +1,143 @@ +{ + "ascExport": { + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "azurePolicyForKubernetes": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForApis": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForApis')]" + } + } + }, + "defenderForAppServices": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + } + }, + "defenderForArm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + } + }, + "defenderforContainers": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForCosmosDbs": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + } + }, + "defenderForCspm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + } + }, + "defenderForDns": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + } + }, + "defenderForKeyVaults": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + } + }, + "defenderforKubernetes": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "defenderForOssDb": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + } + }, + "defenderForSqlPaas": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + } + }, + "defenderForSqlServerVirtualMachines": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + } + }, + "defenderForStorageAccounts": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + } + }, + "defenderForVM": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + } + }, + "defenderForVMVulnerabilityAssessment": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + } + }, + "securityEmailContact": { + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json new file mode 100644 index 00000000..d6cffb10 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -0,0 +1,1182 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "azureFilePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAutomationWebhookPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAutomationWebhookPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAutomationDSCHybridPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAutomationDSCHybridPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosSQLPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosSQLPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosMongoPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosMongoPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosCassandraPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosCassandraPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosGremlinPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosGremlinPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDataFactoryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDataFactoryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDataFactoryPortalPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDataFactoryPortalPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureHDInsightPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureHDInsightPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMigratePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMigratePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageBlobPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageBlobSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageBlobSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageQueuePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageQueueSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageQueueSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageFilePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageStaticWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageStaticWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageStaticWebSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageStaticWebSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageDFSPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageDFSPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageDFSSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageDFSSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseSQLPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseSQLPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseSQLODPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseSQLODPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseDevPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseDevPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMediaServicesKeyPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMediaServicesKeyPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMediaServicesLivePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMediaServicesLivePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMediaServicesStreamPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMediaServicesStreamPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId1": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId1", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId2": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId2", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId3": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId3", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId4": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId4", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId5": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId5", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureBatchPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureBatchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAppPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAsrPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAsrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureKeyVaultPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureKeyVaultPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSignalRPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSignalRPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAppServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureEventGridTopicsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDiskAccessPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDiskAccessPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCognitiveServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotHubsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotHubsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureEventGridDomainsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureRedisCachePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureRedisCachePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAcrPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAcrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureEventHubNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureServiceBusNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCognitiveSearchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "effect1": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "deployIfNotExists", + "Disabled" + ], + "defaultValue": "deployIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-Webhook", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationWebhookPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Webhook" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-DSCHybrid", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "DSCAndHybridWorker" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-SQL", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosSQLPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "SQL" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-MongoDB", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosMongoPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "MongoDB" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Cassandra", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosCassandraPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Cassandra" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Gremlin", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosGremlinPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Gremlin" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosTablePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Table" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "dataFactory" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory-Portal", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "portal" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureHDInsightPrivateDnsZoneId')]" + }, + "groupId": { + "value": "cluster" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Migrate", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMigratePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueuePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueueSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-File", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageFilePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Sql" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLODPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "SqlOnDemand" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-Dev", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseDevPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Dev" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]" + }, + "groupId": { + "value": "keydelivery" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Live", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesLivePrivateDnsZoneId')]" + }, + "groupId": { + "value": "liveevent" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Stream", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]" + }, + "groupId": { + "value": "streamingendpoint" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Monitor", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365", + "parameters": { + "privateDnsZoneId1": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId1')]" + }, + "privateDnsZoneId2": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId2')]" + }, + "privateDnsZoneId3": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId3')]" + }, + "privateDnsZoneId4": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId4')]" + }, + "privateDnsZoneId5": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId5')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json new file mode 100644 index 00000000..4a5f6533 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -0,0 +1,536 @@ +{ + "DINE-Private-DNS-Azure-ACR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-App": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-AppServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Automation-DSCHybrid": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "DSCAndHybridWorker" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Automation-Webhook": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationWebhookPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Webhook" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Batch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveSearch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-Cassandra": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosCassandraPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Cassandra" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-Gremlin": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosGremlinPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Gremlin" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-MongoDB": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosMongoPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "MongoDB" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-SQL": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosSQLPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "SQL" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-Table": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosTablePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Table" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DataFactory": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "dataFactory" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DataFactory-Portal": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "portal" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DiskAccess": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridDomains": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridTopics": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventHubNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-File-Sync": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-HDInsight": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureHDInsightPrivateDnsZoneId')]" + }, + "groupId": { + "value": "cluster" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoT": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoTHubs": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-KeyVault": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MachineLearningWorkspace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MediaServices-Key": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]" + }, + "groupId": { + "value": "keydelivery" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MediaServices-Live": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesLivePrivateDnsZoneId')]" + }, + "groupId": { + "value": "liveevent" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MediaServices-Stream": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]" + }, + "groupId": { + "value": "streamingendpoint" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Migrate": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMigratePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Monitor": { + "parameters": { + "privateDnsZoneId1": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId1')]" + }, + "privateDnsZoneId2": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId2')]" + }, + "privateDnsZoneId3": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId3')]" + }, + "privateDnsZoneId4": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId4')]" + }, + "privateDnsZoneId5": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId5')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-RedisCache": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-ServiceBusNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-SignalR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Site-Recovery": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Blob": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Blob-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-DFS": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-DFS-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-File": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageFilePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Queue": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueuePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Queue-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueueSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-StaticWeb": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Synapse-Dev": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseDevPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Dev" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Synapse-SQL": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Sql" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLODPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "SqlOnDemand" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Web": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json new file mode 100644 index 00000000..5f45bbeb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json @@ -0,0 +1,134 @@ +{ + "name": "Deploy-Sql-Security", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json new file mode 100644 index 00000000..d954e7bc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json @@ -0,0 +1,36 @@ +{ + "SqlDbAuditingSettingsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbTdeDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json new file mode 100644 index 00000000..114aef73 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json @@ -0,0 +1,92 @@ +{ + "name": "Enforce-ACSB", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", + "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "includeArcMachines": { + "type": "String", + "allowedValues": [ + "true", + "false" + ], + "metadata": { + "displayName": "Include Arc connected servers", + "description": "By selecting this option, you agree to be charged monthly per Arc connected machine." + }, + "defaultValue": "true" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "GcIdentity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "GcLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "GcWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WinAcsb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LinAcsb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json new file mode 100644 index 00000000..748495bb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json @@ -0,0 +1,31 @@ +{ + "GcIdentity": { + "parameters": {} + }, + "GcLinux": { + "parameters": {} + }, + "GcWindows": { + "parameters": {} + }, + "LinAcsb": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + } + }, + "WinAcsb": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json new file mode 100644 index 00000000..73378906 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json @@ -0,0 +1,51 @@ +{ + "name": "Enforce-ALZ-Decomm", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Decommissioned Landing Zone", + "description": "Enforce policies in the Decommissioned Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Decommissioned", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "listOfResourceTypesAllowed": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Allowed resource types in the Decommissioned landing zone", + "description": "Allowed resource types in the Decommissioned landing zone, default is none.", + "strongType": "resourceTypes" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DecomDenyResources", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('listOfResourceTypesAllowed')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DecomShutdownMachines", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json new file mode 100644 index 00000000..567de39f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json @@ -0,0 +1,12 @@ +{ + "DecomDenyResources": { + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('listOfResourceTypesAllowed')]" + } + } + }, + "DecomShutdownMachines": { + "parameters": {} + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json new file mode 100644 index 00000000..3ecd32be --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json @@ -0,0 +1,84 @@ +{ + "name": "Enforce-ALZ-Sandbox", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Sandbox Landing Zone", + "description": "Enforce policies in the Sandbox Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Sandbox", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "listOfResourceTypesNotAllowed": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Not allowed resource types in the Sandbox landing zone", + "description": "Not allowed resource types in the Sandbox landing zone, default is none.", + "strongType": "resourceTypes" + } + }, + "effectNotAllowedResources": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectDenyVnetPeering": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SandboxNotAllowed", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "parameters": { + "effect": { + "value": "[[parameters('effectNotAllowedResources')]" + }, + "listOfResourceTypesNotAllowed": { + "value": "[[parameters('listOfResourceTypesNotAllowed')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SandboxDenyVnetPeering", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "parameters": { + "effect": { + "value": "[[parameters('effectDenyVnetPeering')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json new file mode 100644 index 00000000..b4b75f31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json @@ -0,0 +1,19 @@ +{ + "SandboxDenyVnetPeering": { + "parameters": { + "effect": { + "value": "[[parameters('effectDenyVnetPeering')]" + } + } + }, + "SandboxNotAllowed": { + "parameters": { + "effect": { + "value": "[[parameters('effectNotAllowedResources')]" + }, + "listOfResourceTypesNotAllowed": { + "value": "[[parameters('listOfResourceTypesNotAllowed')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json new file mode 100644 index 00000000..0e79140d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json @@ -0,0 +1,618 @@ +{ + "name": "Enforce-EncryptTransit", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "2.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json new file mode 100644 index 00000000..7dca4942 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json @@ -0,0 +1,188 @@ +{ + "AKSIngressHttpsOnlyEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + } + }, + "APIAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + } + }, + "AppServiceHttpEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + } + }, + "AppServiceminTlsVersion": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + } + }, + "FunctionLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + } + }, + "FunctionServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + } + }, + "MySQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "MySQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "RedisDenyhttps": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "RedisdisableNonSslPort": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + } + }, + "RedisTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLServerTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "SQLServerTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "StorageDeployHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "StorageHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "WebAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + } + }, + "WebAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json new file mode 100644 index 00000000..de1ef45b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json @@ -0,0 +1,364 @@ +{ + "name": "Enforce-Encryption-CMK", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "metadata": { + "version": "2.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json new file mode 100644 index 00000000..343d3d54 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json @@ -0,0 +1,107 @@ +{ + "ACRCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + } + }, + "AksCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + } + }, + "AzureBatchCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + } + }, + "CognitiveServicesCMK": { + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + } + }, + "CosmosCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + } + }, + "DataBoxCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + } + }, + "EncryptedVMDisksEffect": { + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + } + }, + "HealthcareAPIsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + } + }, + "MySQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + } + }, + "PostgreSQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + } + }, + "SqlServerTDECMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + } + }, + "StorageCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + } + }, + "StreamAnalyticsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + } + }, + "SynapseWorkspaceCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + } + }, + "WorkspaceCMK": { + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json new file mode 100644 index 00000000..89c3e300 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json @@ -0,0 +1,257 @@ +{ + "name": "Enforce-Guardrails-KeyVault", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Azure Key Vault", + "description": "Enforce recommended guardrails for Azure Key Vault.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effectKvSoftDelete": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvPurgeProtection": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvSecretsExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvKeysExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvFirewallEnabled": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvCertLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ], + "defaultValue": "Audit" + }, + "maximumCertLifePercentageLife": { + "type": "Integer", + "metadata": { + "displayName": "The maximum lifetime percentage", + "description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'." + }, + "defaultValue": 80 + }, + "minimumCertLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvKeysLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumKeysLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvSecretsLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumSecretsLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "KvSoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSoftDelete')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvPurgeProtection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "parameters": { + "effect": { + "value": "[[parameters('effectKvPurgeProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvFirewallEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('effectKvFirewallEnabled')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvCertLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417", + "parameters": { + "effect": { + "value": "[[parameters('effectKvCertLifetime')]" + }, + "maximumPercentageLife": { + "value": "[[parameters('maximumCertLifePercentageLife')]" + }, + "minimumDaysBeforeExpiry": { + "value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json new file mode 100644 index 00000000..d57fe555 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json @@ -0,0 +1,70 @@ +{ + "KvCertLifetime": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvCertLifetime')]" + }, + "maximumPercentageLife": { + "value": "[[parameters('maximumCertLifePercentageLife')]" + }, + "minimumDaysBeforeExpiry": { + "value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]" + } + } + }, + "KvFirewallEnabled": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvFirewallEnabled')]" + } + } + }, + "KvKeysExpire": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysExpire')]" + } + } + }, + "KvKeysLifetime": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]" + } + } + }, + "KvPurgeProtection": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvPurgeProtection')]" + } + } + }, + "KvSecretsExpire": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsExpire')]" + } + } + }, + "KvSecretsLifetime": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]" + } + } + }, + "KvSoftDelete": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvSoftDelete')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep new file mode 100644 index 00000000..9262bc3c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep @@ -0,0 +1,1367 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Policy Defitions at Management Group Scope' +metadata description = 'This policy definition is used to deploy custom policy definitions at management group scope' + +@sys.description('The management group scope to which the policy definitions are to be created at.') +param parTargetManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) + +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_definitions\_mc_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicyDefinitionsArray = [ + { + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json') + } + { + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json') + } + { + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json') + } + { + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json') + } + { + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json') + } + { + name: 'Deny-AFSPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json') + } + { + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json') + } + { + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json') + } + { + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json') + } + { + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json') + } + { + name: 'Deny-KeyVaultPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json') + } + { + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json') + } + { + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json') + } + { + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json') + } + { + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json') + } + { + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json') + } + { + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json') + } + { + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json') + } + { + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json') + } + { + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json') + } + { + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json') + } + { + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json') + } + { + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json') + } + { + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json') + } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json') + } + { + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json') + } + { + name: 'Deploy-ActivityLogs-to-LA-workspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json') + } + { + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json') + } + { + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json') + } + { + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json') + } + { + name: 'Deploy-Default-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json') + } + { + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json') + } + { + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json') + } + { + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json') + } + { + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json') + } + { + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json') + } + { + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json') + } + { + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json') + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json') + } + { + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json') + } + { + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json') + } + { + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json') + } + { + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json') + } + { + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json') + } + { + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json') + } + { + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json') + } + { + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json') + } + { + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json') + } + { + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json') + } + { + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json') + } + { + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json') + } + { + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json') + } + { + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json') + } + { + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json') + } + { + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json') + } + { + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json') + } + { + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json') + } + { + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json') + } + { + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json') + } + { + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json') + } + { + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json') + } + { + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json') + } + { + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json') + } + { + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json') + } + { + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json') + } + { + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json') + } + { + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json') + } + { + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json') + } + { + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json') + } + { + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json') + } + { + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json') + } + { + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json') + } + { + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json') + } + { + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json') + } + { + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json') + } + { + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json') + } + { + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json') + } + { + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json') + } + { + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json') + } + { + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json') + } + { + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json') + } + { + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json') + } + { + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json') + } + { + name: 'Deploy-MySQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json') + } + { + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json') + } + { + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json') + } + { + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json') + } + { + name: 'Deploy-PostgreSQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json') + } + { + name: 'Deploy-Private-DNS-Azure-File-Sync' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json') + } + { + name: 'Deploy-Private-DNS-Azure-KeyVault' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json') + } + { + name: 'Deploy-Private-DNS-Azure-Web' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json') + } + { + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json') + } + { + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json') + } + { + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json') + } + { + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json') + } + { + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json') + } + { + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json') + } + { + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json') + } + { + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json') + } +] + +// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_set_definitions\_mc_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsMcDeployMDFCConfigParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsMcDeploySqlSecurityParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptTransitParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json') + +// Customer Usage Attribution Id +var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' + +resource resPolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2021-06-01' = [for policy in varCustomPolicyDefinitionsArray: { + name: policy.libDefinition.name + properties: { + description: policy.libDefinition.properties.description + displayName: policy.libDefinition.properties.displayName + metadata: policy.libDefinition.properties.metadata + mode: policy.libDefinition.properties.mode + parameters: policy.libDefinition.properties.parameters + policyType: policy.libDefinition.properties.policyType + policyRule: policy.libDefinition.properties.policyRule + } +}] + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + dependsOn: [ + resPolicyDefinitions // Must wait for policy definitons to be deployed before starting the creation of Policy Set/Initiative Defininitions + ] + name: policySet.libSetDefinition.name + properties: { + description: policySet.libSetDefinition.properties.description + displayName: policySet.libSetDefinition.properties.displayName + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] + +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png new file mode 100644 index 00000000..c0ab41e8 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..6c73f386 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json new file mode 100644 index 00000000..d30044fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTargetManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json new file mode 100644 index 00000000..fc892503 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep new file mode 100644 index 00000000..5871760b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_policy '../definitions/customPolicyDefinitions.bicep' = { + name: 'minimum policy' + params: { + parTargetManagementGroupId: 'alz' + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep new file mode 100644 index 00000000..16f91adc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep @@ -0,0 +1,37 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var policyAssignmentConfig = loadJsonContent('../assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json') + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module minimum_policy '../assignments/policyAssignmentManagementGroup.bicep' = { + name: 'baseline policy' + params: { + parPolicyAssignmentName: policyAssignmentConfig.parameters.parPolicyAssignmentName.value + parPolicyAssignmentDisplayName: policyAssignmentConfig.parameters.parPolicyAssignmentDisplayName.value + parPolicyAssignmentDescription: policyAssignmentConfig.parameters.parPolicyAssignmentDescription.value + parPolicyAssignmentDefinitionId: policyAssignmentConfig.parameters.parPolicyAssignmentDefinitionId.value + parPolicyAssignmentParameters: policyAssignmentConfig.parameters.parPolicyAssignmentParameters + parPolicyAssignmentNonComplianceMessages: policyAssignmentConfig.parameters.parPolicyAssignmentNonComplianceMessages.value + parPolicyAssignmentNotScopes: policyAssignmentConfig.parameters.parPolicyAssignmentNotScopes.value + parTelemetryOptOut: policyAssignmentConfig.parameters.parTelemetryOptOut.value + parPolicyAssignmentParameterOverrides: policyAssignmentConfig.parameters.parPolicyAssignmentParameterOverrides.value + parPolicyAssignmentEnforcementMode: policyAssignmentConfig.parameters.parPolicyAssignmentEnforcementMode.value + parPolicyAssignmentIdentityType: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityType.value + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs.value + parPolicyAssignmentIdentityRoleAssignmentsSubs: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleAssignmentsSubs.value + parPolicyAssignmentIdentityRoleDefinitionIds: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleDefinitionIds.value + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md new file mode 100644 index 00000000..c8341dff --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..3d29f676 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md new file mode 100644 index 00000000..03d739f6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..c8eca32f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep new file mode 100644 index 00000000..54609325 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep @@ -0,0 +1,20 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_policy '../definitions/customPolicyDefinitions.bicep' = { + name: 'minimum policy' +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep new file mode 100644 index 00000000..2ec98f8e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep @@ -0,0 +1,31 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var policyAssignmentConfig = loadJsonContent('../assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json') + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_policy '../assignments/policyAssignmentManagementGroup.bicep' = { + name: 'minimum policy' + params: { + parPolicyAssignmentName: policyAssignmentConfig.parameters.parPolicyAssignmentName.value + parPolicyAssignmentDisplayName: policyAssignmentConfig.parameters.parPolicyAssignmentDisplayName.value + parPolicyAssignmentDescription: policyAssignmentConfig.parameters.parPolicyAssignmentDescription.value + parPolicyAssignmentDefinitionId: policyAssignmentConfig.parameters.parPolicyAssignmentDefinitionId.value + parPolicyAssignmentParameters: policyAssignmentConfig.parameters.parPolicyAssignmentParameters + parPolicyAssignmentNonComplianceMessages: policyAssignmentConfig.parameters.parPolicyAssignmentNonComplianceMessages.value + parPolicyAssignmentNotScopes: policyAssignmentConfig.parameters.parPolicyAssignmentNotScopes.value + parTelemetryOptOut: policyAssignmentConfig.parameters.parTelemetryOptOut.value + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md new file mode 100644 index 00000000..7308245d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md @@ -0,0 +1,62 @@ +# Module: Private DNS Zone Links + +This module is used by the Hub Peered Spoke orchestration module to create virtual network links from Private DNS Zones. +> Consider using the `hubPeeredSpoke` orchestration module to leverage this module to create virtual network links from Private DNS Zones to Spoke Virtual Networks. [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke) + +## Parameters + +- [Link to Parameters](generateddocs/privateDnsZoneLinks.bicep.md) + +## Outputs + +*The module will not generate any outputs.* + +## Deployment + +The inputs for this module are defined in `parameters/privateDnsZoneLinks.parameters.all.json`. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +az deployment rg create \ + --template-file infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep \ + --parameters @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json \ + --location eastus +``` + +OR + +```bash +# For Azure China regions +az deployment rg create \ + --template-file infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep \ + --parameters @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json \ + --location chinaeast2 + ``` + +### PowerShell + +```powershell +# For Azure global regions +New-AzResourceGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json ` + -Location eastus +``` + +OR + +```powershell +# For Azure China regions +New-AzResourceGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json ` + -Location chinaeast2 +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md new file mode 100644 index 00000000..d8e1c999 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md @@ -0,0 +1,42 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSpokeVirtualNetworkResourceId | No | The Spoke Virtual Network Resource ID. +parPrivateDnsZoneResourceId | No | The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +### parSpokeVirtualNetworkResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Spoke Virtual Network Resource ID. + +### parPrivateDnsZoneResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.json" + }, + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "" + }, + "parPrivateDnsZoneResourceId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png new file mode 100644 index 00000000..a0ae799a Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json new file mode 100644 index 00000000..f0bb9fd4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "" + }, + "parPrivateDnsZoneResourceIds":{ + "value": [] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json new file mode 100644 index 00000000..f0bb9fd4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "" + }, + "parPrivateDnsZoneResourceIds":{ + "value": [] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep new file mode 100644 index 00000000..b36c5e6f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep @@ -0,0 +1,20 @@ +targetScope = 'resourceGroup' + +@sys.description('The Spoke Virtual Network Resource ID.') +param parSpokeVirtualNetworkResourceId string = '' + +@sys.description('The Private DNS Zone Resource IDs to associate with the spoke Virtual Network.') +param parPrivateDnsZoneResourceId string = '' + +var varSpokeVirtualNetworkName = split(parSpokeVirtualNetworkResourceId, '/')[8] + +resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (!empty(parPrivateDnsZoneResourceId)) { + location: 'global' + name: '${split(parPrivateDnsZoneResourceId, '/')[8]}/dnslink-to-${varSpokeVirtualNetworkName}' + properties: { + registrationEnabled: false + virtualNetwork: { + id: parSpokeVirtualNetworkResourceId + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep new file mode 100644 index 00000000..1e37ab36 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep @@ -0,0 +1,30 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@sys.description('The Spoke Virtual Network Resource ID.') +param parSpokeVirtualNetworkResourceId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' + +@sys.description('The Private DNS Zone Resource IDs to associate with the spoke Virtual Network.') +param parPrivateDnsZoneResourceId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/privateDnsZones/' + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module baseline_private_dns_zone_linking '../privateDnsZoneLinks.bicep' = { + name: 'baseline_vnet_peering' + params: { + parPrivateDnsZoneResourceId: parPrivateDnsZoneResourceId + parSpokeVirtualNetworkResourceId: parSpokeVirtualNetworkResourceId + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..0c45d774 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,46 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSpokeVirtualNetworkResourceId | No | The Spoke Virtual Network Resource ID. +parPrivateDnsZoneResourceId | No | The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +### parSpokeVirtualNetworkResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Spoke Virtual Network Resource ID. + +- Default value: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/` + +### parPrivateDnsZoneResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +- Default value: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/privateDnsZones/` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.json" + }, + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/" + }, + "parPrivateDnsZoneResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/privateDnsZones/" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md new file mode 100644 index 00000000..6cce7a75 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md @@ -0,0 +1,174 @@ +# Module: Private DNS Zones + +This module deploys Private DNS Zones used for Private Link based on the recommendations from the Azure Landing Zone Conceptual Architecture. + +Module deploys the following resources: + +- Private DNS Zones - See [DNS Zones](#dns-zones) for more info +- Private DNS Zone Links - Links deployed zones with provided Hub Network + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/privateDnsZones.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + +## DNS Zones + +### Regional Zones + +The following DNS Zones are region specific and will be deployed with the provided region in the `parLocation` parameter by default: + +- `privatelink.xxxxxx.batch.azure.com` +- `privatelink.xxxxxx.azmk8s.io` +- `privatelink.xxxxxx.kusto.windows.net` + +**Note:** The region specific zones are included in the parameters files with the region set as `xxxxxx`. For these zones to deploy properly, replace `xxxxxx` with the target region. For example: `privatelink.xxxxxx.azmk8s.io` would become `privatelink.eastus.azmk8s.io` for a deployment targeting the East US region. + +### Geo Code Zones + +The following DNS Zone use a geo code associated to the Azure Region. + +- `privatelink.xxx.backup.windowsazure.com` + +If the Azure Region entered in `parLocation` matches a lookup to the map in `varAzBackupGeoCodes` we will append Geo Codes (value) used to generate region-specific DNS zone names for Azure Backup private endpoints. then insert Azure Backup Private DNS Zone with appropriate geo code inserted alongside zones in `parPrivateDnsZones` into a new array called `varPrivateDnsZonesMerge`. If not just return `parPrivateDnsZones` as the only values in `varPrivateDnsZonesMerge`. To override this see the parameter `parPrivateDnsZoneAutoMergeAzureBackupZone`. + +> For more information on Azure Backup and Private Link, or geo codes, please refer to: [Create and use private endpoints for Azure Backup](https://learn.microsoft.com/azure/backup/private-endpoints#when-using-custom-dns-server-or-host-files) + +### Prefixed DNS Zone + +The DNS Zone `privatelink.{dnsPrefix}.database.windows.net` is not deployed by default as the DNS Prefix is individual. + +You can add the zone to your parameters file with the required DNS Prefix in the zone name. + +### All Zones and more details + +For more details on private DNS Zones please refer to this link: +[https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------ | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outPrivateDnsZones | array | `[{"name":"privatelink.azurecr.io","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"},{"name":"privatelink.azurewebsites.net","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"}]` | +| outPrivateDnsZonesNames | array | `["privatelink.azurecr.io", "privatelink.azurewebsites.net"]` | + +## Deployment +> **Note:** `bicepconfig.json` file is included in the module directory. This file allows us to override Bicep Linters. Currently there are two URLs which were removed because of linter warnings. URLs removed are the following: database.windows.net and core.windows.net + +In this example, the hub resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the hub resources should be deployed into the Platform connectivity subscription. During the deployment step, we will take the default values and not pass any parameters. + +There are two different sets of input parameters; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to different private DNS zone names for Azure services in Azure global regions and Azure China. The recommended private DNS zone names are available [here](https://learn.microsoft.com/azure/private-link/private-endpoint-dns). Other differences in Azure China regions are as follow: +- DDoS Protection feature is not available. parDdosEnabled parameter is set as false. +- The SKUs available for an ExpressRoute virtual network gateway are Standard, HighPerformance and UltraPerformance. Sku is set as "Standard" in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | --------------------- | ------------------------------------------ | + | Global regions | privateDnsZones.bicep | parameters/privateDnsZones.parameters.all.json | + | China regions | privateDnsZones.bicep | parameters/mc-privateDnsZones.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PrivateDnsZonesDeployment-${dateYMD}" +RESOURCEGROUP="rg-$TopLevelMGPrefix-private-dns-001" +TEMPLATEFILE="infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" +PARAMETERS="@infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" + +az group create --location eastus \ + --name $RESOURCEGROUP + +az deployment group create --name ${NAME:0:63} --resource-group $RESOURCEGROUP --parameters $PARAMETERS --template-file $TEMPLATEFILE +``` +OR +```bash +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PrivateDnsZonesDeployment-${dateYMD}" +RESOURCEGROUP="rg-$TopLevelMGPrefix-private-dns-001" +TEMPLATEFILE="infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" +PARAMETERS="@infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" + +az group create --location chinaeast2 \ + --name $RESOURCEGROUP + +az deployment group create --name ${NAME:0:63} --resource-group $RESOURCEGROUP --parameters $PARAMETERS --template-file $TEMPLATEFILE +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'eastus' + +$inputObject = @{ + DeploymentName = 'alz-PrivateDnsZonesDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-private-dns-001" + TemplateFile = "infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" +} + +New-AzResourceGroupDeployment @inputObject +``` +OR + +```powershell +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'chinaeast2' + +$inputObject = @{ + DeploymentName = 'alz-PrivateDnsZonesDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-private-dns-001" + TemplateFile = "infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" +} + +New-AzResourceGroupDeployment @inputObject +``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json new file mode 100644 index 00000000..ad3802e9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json @@ -0,0 +1,124 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md new file mode 100644 index 00000000..2eae1b5f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md @@ -0,0 +1,166 @@ +# ALZ Bicep - Private DNS Zones + +Module used to set up Private DNS Zones in accordance to Azure Landing Zones + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The Azure Region to deploy the resources into. +parPrivateDnsZones | No | Array of custom DNS Zones to provision in Hub Virtual Network. +parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. +parTags | No | Tags you would like to be applied to all resources in this module. +parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. + +- Default value: `[resourceGroup().location]` + +### parPrivateDnsZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of custom DNS Zones to provision in Hub Virtual Network. + +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` + +### parPrivateDnsZoneAutoMergeAzureBackupZone + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. + +- Default value: `True` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parVirtualNetworkIdToLink + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of VNet for Private DNS Zone VNet Links. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outPrivateDnsZones | array | +outPrivateDnsZonesNames | array | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parPrivateDnsZones": { + "value": [ + "[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))]", + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parTags": { + "value": {} + }, + "parVirtualNetworkIdToLink": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png new file mode 100644 index 00000000..37b0d74e Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..c179093a Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json new file mode 100644 index 00000000..e387e259 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json new file mode 100644 index 00000000..ff3ebeee --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json new file mode 100644 index 00000000..ac87cc7b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json @@ -0,0 +1,94 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.kusto.windows.net", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus) + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json new file mode 100644 index 00000000..3f3a4631 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPrivateDnsZones": { + "value": [ + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.kusto.windows.net", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus) + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep new file mode 100644 index 00000000..f5590bee --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep @@ -0,0 +1,194 @@ +metadata name = 'ALZ Bicep - Private DNS Zones' +metadata description = 'Module used to set up Private DNS Zones in accordance to Azure Landing Zones' + +@sys.description('The Azure Region to deploy the resources into.') +param parLocation string = resourceGroup().location + +@sys.description('Array of custom DNS Zones to provision in Hub Virtual Network.') +param parPrivateDnsZones array = [ + 'privatelink.${toLower(parLocation)}.azmk8s.io' + 'privatelink.${toLower(parLocation)}.batch.azure.com' + 'privatelink.${toLower(parLocation)}.kusto.windows.net' + 'privatelink.adf.azure.com' + 'privatelink.afs.azure.net' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.analysis.windows.net' + 'privatelink.api.azureml.ms' + 'privatelink.azconfig.io' + 'privatelink.azure-api.net' + 'privatelink.azure-automation.net' + 'privatelink.azurecr.io' + 'privatelink.azure-devices.net' + 'privatelink.azure-devices-provisioning.net' + 'privatelink.azurehdinsight.net' + 'privatelink.azurehealthcareapis.com' + 'privatelink.azurestaticapps.net' + 'privatelink.azuresynapse.net' + 'privatelink.azurewebsites.net' + 'privatelink.batch.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.database.windows.net' + 'privatelink.datafactory.azure.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.dicom.azurehealthcareapis.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.directline.botframework.com' + 'privatelink.documents.azure.com' + 'privatelink.eventgrid.azure.net' + 'privatelink.file.core.windows.net' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.guestconfiguration.azure.com' + 'privatelink.his.arc.azure.com' + 'privatelink.kubernetesconfiguration.azure.com' + 'privatelink.managedhsm.azure.net' + 'privatelink.mariadb.database.azure.com' + 'privatelink.media.azure.net' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.monitor.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.notebooks.azure.net' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.pbidedicated.windows.net' + 'privatelink.postgres.database.azure.com' + 'privatelink.prod.migration.windowsazure.com' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.queue.core.windows.net' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.search.windows.net' + 'privatelink.service.signalr.net' + 'privatelink.servicebus.windows.net' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.sql.azuresynapse.net' + 'privatelink.table.core.windows.net' + 'privatelink.table.cosmos.azure.com' + 'privatelink.tip1.powerquery.microsoft.com' + 'privatelink.token.botframework.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.web.core.windows.net' + 'privatelink.webpubsub.azure.com' +] + +@sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.') +param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Resource ID of VNet for Private DNS Zone VNet Links.') +param parVirtualNetworkIdToLink string = '' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +var varAzBackupGeoCodes = { + australiacentral: 'acl' + australiacentral2: 'acl2' + australiaeast: 'ae' + australiasoutheast: 'ase' + brazilsouth: 'brs' + brazilsoutheast: 'bse' + centraluseuap: 'ccy' + canadacentral: 'cnc' + canadaeast: 'cne' + centralus: 'cus' + eastasia: 'ea' + eastus2euap: 'ecy' + eastus: 'eus' + eastus2: 'eus2' + francecentral: 'frc' + francesouth: 'frs' + germanynorth: 'gn' + germanywestcentral: 'gwc' + centralindia: 'inc' + southindia: 'ins' + westindia: 'inw' + japaneast: 'jpe' + japanwest: 'jpw' + jioindiacentral: 'jic' + jioindiawest: 'jiw' + koreacentral: 'krc' + koreasouth: 'krs' + northcentralus: 'ncus' + northeurope: 'ne' + norwayeast: 'nwe' + norwaywest: 'nww' + qatarcentral: 'qac' + southafricanorth: 'san' + southafricawest: 'saw' + southcentralus: 'scus' + swedencentral: 'sdc' + swedensouth: 'sds' + southeastasia: 'sea' + switzerlandnorth: 'szn' + switzerlandwest: 'szw' + uaecentral: 'uac' + uaenorth: 'uan' + uksouth: 'uks' + ukwest: 'ukw' + westcentralus: 'wcus' + westeurope: 'we' + westus: 'wus' + westus2: 'wus2' + westus3: 'wus3' + usdodcentral: 'udc' + usdodeast: 'ude' + usgovarizona: 'uga' + usgoviowa: 'ugi' + usgovtexas: 'ugt' + usgovvirginia: 'ugv' + usnateast: 'exe' + usnatwest: 'exw' + usseceast: 'rxe' + ussecwest: 'rxw' + chinanorth: 'bjb' + chinanorth2: 'bjb2' + chinanorth3: 'bjb3' + chinaeast: 'sha' + chinaeast2: 'sha2' + chinaeast3: 'sha3' + germanycentral: 'gec' + germanynortheast: 'gne' +} + +// If region entered in parLocation and matches a lookup to varAzBackupGeoCodes then insert Azure Backup Private DNS Zone with appropriate geo code inserted alongside zones in parPrivateDnsZones. If not just return parPrivateDnsZones +var varPrivateDnsZonesMerge = parPrivateDnsZoneAutoMergeAzureBackupZone && contains(varAzBackupGeoCodes, parLocation) ? union(parPrivateDnsZones, [ 'privatelink.${varAzBackupGeoCodes[toLower(parLocation)]}.backup.windowsazure.com' ]) : parPrivateDnsZones + +// Customer Usage Attribution Id +var varCuaid = '981733dd-3195-4fda-a4ee-605ab959edb6' + +resource resPrivateDnsZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDnsZone in varPrivateDnsZonesMerge: { + name: privateDnsZone + location: 'global' + tags: parTags +}] + +resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in varPrivateDnsZonesMerge: if (!empty(parVirtualNetworkIdToLink)) { + name: '${privateDnsZoneName}/${take('link-${uniqueString(parVirtualNetworkIdToLink)}', 80)}' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: parVirtualNetworkIdToLink + } + } + dependsOn: resPrivateDnsZones +}] + +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' + params: {} +} + +output outPrivateDnsZones array = [for i in range(0, length(varPrivateDnsZonesMerge)): { + name: resPrivateDnsZones[i].name + id: resPrivateDnsZones[i].id +}] + +output outPrivateDnsZonesNames array = [for i in range(0, length(varPrivateDnsZonesMerge)): resPrivateDnsZones[i].name ] diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep new file mode 100644 index 00000000..08e585cd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep @@ -0,0 +1,95 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('The Azure Region to deploy the resources into. Default: resourceGroup().location') +param parLocation string = resourceGroup().location +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_private_dns '../privateDnsZones.bicep' = { + name: 'minimum private DNS' + params: { + parLocation: parLocation + parPrivateDnsZones: [ + 'privatelink.${toLower(parLocation)}.azmk8s.io' + 'privatelink.${toLower(parLocation)}.batch.azure.com' + 'privatelink.${toLower(parLocation)}.kusto.windows.net' + 'privatelink.adf.azure.com' + 'privatelink.afs.azure.net' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.analysis.windows.net' + 'privatelink.api.azureml.ms' + 'privatelink.azconfig.io' + 'privatelink.azure-api.net' + 'privatelink.azure-automation.net' + 'privatelink.azurecr.io' + 'privatelink.azure-devices.net' + 'privatelink.azure-devices-provisioning.net' + 'privatelink.azurehdinsight.net' + 'privatelink.azurehealthcareapis.com' + 'privatelink.azurestaticapps.net' + 'privatelink.azuresynapse.net' + 'privatelink.azurewebsites.net' + 'privatelink.batch.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.database.windows.net' + 'privatelink.datafactory.azure.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.dicom.azurehealthcareapis.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.directline.botframework.com' + 'privatelink.documents.azure.com' + 'privatelink.eventgrid.azure.net' + 'privatelink.file.core.windows.net' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.guestconfiguration.azure.com' + 'privatelink.his.arc.azure.com' + 'privatelink.kubernetesconfiguration.azure.com' + 'privatelink.managedhsm.azure.net' + 'privatelink.mariadb.database.azure.com' + 'privatelink.media.azure.net' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.monitor.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.notebooks.azure.net' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.pbidedicated.windows.net' + 'privatelink.postgres.database.azure.com' + 'privatelink.prod.migration.windowsazure.com' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.queue.core.windows.net' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.search.windows.net' + 'privatelink.service.signalr.net' + 'privatelink.servicebus.windows.net' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.sql.azuresynapse.net' + 'privatelink.table.core.windows.net' + 'privatelink.table.cosmos.azure.com' + 'privatelink.tip1.powerquery.microsoft.com' + 'privatelink.token.botframework.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.web.core.windows.net' + 'privatelink.webpubsub.azure.com' + ] + parTags: {} + parVirtualNetworkIdToLink: '' + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..39c2e776 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The Azure Region to deploy the resources into. Default: resourceGroup().location + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. Default: resourceGroup().location + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..54933fc7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure Region to deploy the resources into. Default: resourceGroup().location + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. Default: resourceGroup().location + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep new file mode 100644 index 00000000..bf4226b8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('The Azure Region to deploy the resources into. Default: resourceGroup().location') +param location string = resourceGroup().location +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_private_dns '../privateDnsZones.bicep' = { + name: 'minimum private DNS' + params: { + parLocation: location + } +} diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/README.md b/dependencies/infra-as-code/bicep/modules/publicIp/README.md new file mode 100644 index 00000000..96a5683a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/README.md @@ -0,0 +1,27 @@ +# Module: Public IP + +This module defines a public IP address and outputs the id for other modules to consume. + +Module deploys the following resources: + +- Public IP Address + +## Parameters + +- [Link to Parameters](generateddocs/publicIp.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outPublicIpId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/publicIPAddresses/alz-bastion-PublicIp | + +## Deployment + +Module is intended to be called from other modules as a reusable resource. + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/generateddocs/publicIp.bicep.md b/dependencies/infra-as-code/bicep/modules/publicIp/generateddocs/publicIp.bicep.md new file mode 100644 index 00000000..4942e5c7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/generateddocs/publicIp.bicep.md @@ -0,0 +1,106 @@ +# ALZ Bicep - Public IP creation module + +Module used to set up Public IP for Azure Landing Zones + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | Azure Region to deploy Public IP Address to. +parPublicIpName | Yes | Name of Public IP to create in Azure. +parPublicIpSku | Yes | Public IP Address SKU. +parPublicIpProperties | Yes | Properties of Public IP to be deployed. +parAvailabilityZones | No | Availability Zones to deploy the Public IP across. Region must support Availability Zones to use. If it does not then leave empty. +parTags | No | Tags to be applied to resource when deployed. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Region to deploy Public IP Address to. + +- Default value: `[resourceGroup().location]` + +### parPublicIpName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Name of Public IP to create in Azure. + +### parPublicIpSku + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Public IP Address SKU. + +### parPublicIpProperties + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Properties of Public IP to be deployed. + +### parAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the Public IP across. Region must support Availability Zones to use. If it does not then leave empty. + +- Allowed values: `1`, `2`, `3` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags to be applied to resource when deployed. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outPublicIpId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/publicIp/publicIp.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parPublicIpName": { + "value": "" + }, + "parPublicIpSku": { + "value": {} + }, + "parPublicIpProperties": { + "value": {} + }, + "parAvailabilityZones": { + "value": [] + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/publicIp/media/bicepVisualizer.png new file mode 100644 index 00000000..10a29056 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/publicIp/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json b/dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json new file mode 100644 index 00000000..40de9e5e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parPublicIpName": { + "value": "alz" + }, + "parPublicIpSku": { + "value": { + "name": "Standard", + "tier": "Regional" + } + }, + "parPublicIpProperties": { + "value": { + "publicIpAddressVersion": "IPv4", + "publicIpAllocationMethod": "Dynamic", + "deleteOption": "Delete", + "idleTimeoutInMinutes": 4 + } + }, + "parAvailabilityZones": { + "value": [] + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json b/dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json new file mode 100644 index 00000000..85fc1f5e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPublicIpName": { + "value": "alz" + }, + "parPublicIpSku": { + "value": { + "name": "Standard", + "tier": "Regional" + } + }, + "parPublicIpProperties": { + "value": { + "publicIpAddressVersion": "IPv4", + "publicIpAllocationMethod": "Dynamic", + "deleteOption": "Delete", + "idleTimeoutInMinutes": 4 + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/publicIp.bicep b/dependencies/infra-as-code/bicep/modules/publicIp/publicIp.bicep new file mode 100644 index 00000000..2c4cc2d3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/publicIp.bicep @@ -0,0 +1,49 @@ +metadata name = 'ALZ Bicep - Public IP creation module' +metadata description = 'Module used to set up Public IP for Azure Landing Zones' + +@sys.description('Azure Region to deploy Public IP Address to.') +param parLocation string = resourceGroup().location + +@sys.description('Name of Public IP to create in Azure.') +param parPublicIpName string + +@sys.description('Public IP Address SKU.') +param parPublicIpSku object + +@sys.description('Properties of Public IP to be deployed.') +param parPublicIpProperties object + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the Public IP across. Region must support Availability Zones to use. If it does not then leave empty.') +param parAvailabilityZones array = [] + +@sys.description('Tags to be applied to resource when deployed.') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '3f85b84c-6bad-4c42-86bf-11c233241c22' + +resource resPublicIp 'Microsoft.Network/publicIPAddresses@2023-02-01' ={ + name: parPublicIpName + tags: parTags + location: parLocation + zones: parAvailabilityZones + sku: parPublicIpSku + properties: parPublicIpProperties +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location, parPublicIpName)}' + params: {} +} + +output outPublicIpId string = resPublicIp.id diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/publicIp/samples/baseline.sample.bicep new file mode 100644 index 00000000..1d26e65b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/samples/baseline.sample.bicep @@ -0,0 +1,38 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy a Well-Architected aligned resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_public_ip '../publicIp.bicep' = { + name: 'baseline_public_ip' + params: { + parPublicIpName: 'pip-baseline-ip' + parLocation: location + parPublicIpProperties: { } + parPublicIpSku: { + name: 'Standard' + tier: 'Regional' + } + parTags: {} + parAvailabilityZones: [ + '1' + '2' + '3' + ] + } +} diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..40026325 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/publicIp/samples/baseline.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..20170840 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/publicIp/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/publicIp/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/publicIp/samples/minimum.sample.bicep new file mode 100644 index 00000000..30623709 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/publicIp/samples/minimum.sample.bicep @@ -0,0 +1,33 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_public_ip '../publicIp.bicep' = { + name: 'minimum_public_ip' + params: { + parPublicIpName: 'pip-minimum-ip' + parLocation: location + parPublicIpProperties: { } + parPublicIpSku: { + name: 'Basic' + tier: 'Regional' + } + parTags: {} + } +} diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/README.md b/dependencies/infra-as-code/bicep/modules/resourceGroup/README.md new file mode 100644 index 00000000..5e7c3fe6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/README.md @@ -0,0 +1,28 @@ +# Module: Resource Group + +This module creates a Resource group to be utilized by other modules. + +Module deploys the following resources: + +- Resource Group + +## Parameters + +- [Link to Parameters](generateddocs/resourceGroup.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------ | ---- | ------- | +| outResourceGroupName | string | `Hub` | +| outResourceGroupId | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/Hub` | + +## Deployment + +Module is intended to be called from other modules as a reusable resource. + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/generateddocs/resourceGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/resourceGroup/generateddocs/resourceGroup.bicep.md new file mode 100644 index 00000000..5dbeae79 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/generateddocs/resourceGroup.bicep.md @@ -0,0 +1,73 @@ +# ALZ Bicep - Resource Group creation module + +Module used to create Resource Groups for Azure Landing Zones + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | Yes | Azure Region where Resource Group will be created. +parResourceGroupName | Yes | Name of Resource Group to be created. +parTags | No | Tags you would like to be applied to all resources in this module. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Azure Region where Resource Group will be created. + +### parResourceGroupName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Name of Resource Group to be created. + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outResourceGroupName | string | +outResourceGroupId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/resourceGroup/resourceGroup.json" + }, + "parameters": { + "parLocation": { + "value": "" + }, + "parResourceGroupName": { + "value": "" + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/resourceGroup/media/bicepVisualizer.png new file mode 100644 index 00000000..8fd02b69 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/resourceGroup/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json new file mode 100644 index 00000000..6dcf98ff --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parResourceGroupName": { + "value": "alz-rg" + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json new file mode 100644 index 00000000..b273c06b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parResourceGroupName": { + "value": "alz-rg" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep b/dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep new file mode 100644 index 00000000..a383c46b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep @@ -0,0 +1,33 @@ +targetScope = 'subscription' + +metadata name = 'ALZ Bicep - Resource Group creation module' +metadata description = 'Module used to create Resource Groups for Azure Landing Zones' + +@sys.description('Azure Region where Resource Group will be created.') +param parLocation string + +@sys.description('Name of Resource Group to be created.') +param parResourceGroupName string + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = 'b6718c54-b49e-4748-a466-88e3d7c789c8' + +resource resResourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + location: parLocation + name: parResourceGroupName + tags: parTags +} + +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdSubscription.bicep' = if (!parTelemetryOptOut) { + name: 'pid-${varCuaid}-${uniqueString(subscription().subscriptionId, parResourceGroupName)}' + params: {} +} + +output outResourceGroupName string = resResourceGroup.name +output outResourceGroupId string = resResourceGroup.id diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep new file mode 100644 index 00000000..2db656e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep @@ -0,0 +1,30 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration.') +module baseline_rg'../resourceGroup.bicep' = { + name: 'baseline_rg' + params: { + parLocation: 'westeurope' + parResourceGroupName: 'baseline-rg' + parTelemetryOptOut: true + parTags: { + tag1: 'value1' + tag2: 'value2' + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..b86dab16 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..5d21eb13 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep new file mode 100644 index 00000000..b84ff200 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep @@ -0,0 +1,29 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module minimum_rg'../resourceGroup.bicep' = { + name: 'minimum_rg' + params: { + parLocation: 'westeurope' + parResourceGroupName: 'minimum-rg' + parTags: { + tag1: 'value1' + tag2: 'value2' + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md new file mode 100644 index 00000000..e2419c38 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md @@ -0,0 +1,185 @@ +# Module: Role Assignments for Management Groups & Subscriptions + +This module provides role assignment capabilities across Management Group & Subscription scopes. Role assignments are part of [Identity and Access Management (IAM)](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management), which is one of the critical design areas in Enterprise-Scale Architecture. The role assignments can be performed for: + +- Managed Identities (System and User Assigned) +- Service Principals +- Security Groups + +This module contains 4 Bicep templates, you may optionally choose one of these modules to deploy depending on which scope you want to assign roles from broad to narrow; management group to subscription: + +| Template | Description | Deployment Scope | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| roleAssignmentManagementGroup.bicep | Performs role assignment on one management group | Management Group | +| roleAssignmentManagementGroupMany.bicep | Performs role assignment on one or more management groups. This template uses `roleAssignmentManagementGroup.bicep` for the deployments. | Management Group | +| roleAssignmentSubscription.bicep | Performs role assignment on one subscription | Subscription | +| roleAssignmentSubscriptionMany.bicep | Performs role assignment on one or more subscriptions. This template uses `roleAssignmentSubscription.bicep` for the deployments. | Management Group | +| roleAssignmentResourceGroup.bicep | Performs role assignment on one resource group | Resource Group | +| roleAssignmentResourceGroupMany.bicep | Performs role assignment on one or more resource groups. This template uses `roleAssignmentResourceGroup.bicep` for the deployments. | Management Group | + +## Parameters + +The module requires the following required input parameters. + +All templates require an input for `parAssigneeObjectId` and this value is dependent on the Service Principal type. Azure CLI and PowerShell commands can be executed to identify the correct `object id`. Examples: + +### Azure CLI - Find Object ID + +```bash +# Identify Object Id for User Assigned / System Assigned Managed Identity +# Example: az identity show --resource-group rgManagedIdentities --name alz-managed-identity --query 'principalId' +az identity show --resource-group --name --query 'principalId' + +# Identify Object Id for Service Principal (App Registration) +# Require read permission to query Azure Active Directory +# Example: az ad sp show --id c705dc53-7c95-42bc-b1d5-75e172571370 --query id +az ad sp show --id --query id + +# Identify Object Id for Service Principal (App Registration) +# Require read permission to query Azure Active Directory +# Beware of duplicates, since app registation names are not unique. +# Example: az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' +az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' + +# Identify Object Id for Security Group +# Require read permission to query Azure Active Directory +# Example: az ad group show --group SG_ALZ_SECURITY --query id +az ad group show --group --query id +``` + +### PowerShell - Find Object ID + +```powershell +# Identify Object Id for User Assigned / System Assigned Managed Identity +# Example: (Get-AzADServicePrincipal -DisplayName 'alz-managed-identity').Id +(Get-AzADServicePrincipal -DisplayName '').Id + +# Identify Object Id for Service Principal (App Registration) +# Require read permission to query Azure Active Directory +# Example: (Get-AzADServicePrincipal -DisplayName 'Azure Landing Zone SPN').Id +(Get-AzADServicePrincipal -DisplayName '').Id + +# Identify Object Id for Security Group +# Require read permission to query Azure Active Directory +# Example: Get-AzureADGroup -SearchString 'SG_ALZ_SECURITY' +Connect-AzureAD +(Get-AzureADGroup -SearchString '').ObjectId +``` + +### roleAssignmentManagementGroup.bicep + +- [Link to Parameters](generateddocs/roleAssignmentManagementGroup.bicep.md) + +### roleAssignmentManagementGroupMany.bicep + +- [Link to Parameters](generateddocs/roleAssignmentManagementGroupMany.bicep.md) + +### roleAssignmentSubscription.bicep + +- [Link to Parameters](generateddocs/roleAssignmentSubscription.bicep.md) + +### roleAssignmentSubscriptionMany.bicep + +- [Link to Parameters](generateddocs/roleAssignmentSubscriptionMany.bicep.md) + +### roleAssignmentResourceGroup.bicep + +- [Link to Parameters](generateddocs/roleAssignmentResourceGroup.bicep.md) + +### roleAssignmentResourceGroupMany.bicep + +- [Link to Parameters](generateddocs/roleAssignmentResourceGroupMany.bicep.md) + +## Outputs + +*This module does not produce any outputs.* + +## Deployment + +In this example, the built-in Reader role will be assigned to a Service Principal account at the `alz-platform` management group scope. The inputs for this module are defined in `parameters/roleAssignmentManagementGroup.*.parameters.all.json`. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-RoleAssignmentsDeployment-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-RoleAssignmentsDeployment-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-RoleAssignmentsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-RoleAssignmentsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +### Single Management Group Role Assignment + +![Bicep Visualizer - Single Management Group Role Assignment](media/bicepVisualizerMg.png "Bicep Visualizer - Single Management Group Role Assignment") + +### Many Management Group Role Assignments + +![Bicep Visualizer - Many Management Group Role Assignments](media/bicepVisualizerMgMany.png "Bicep Visualizer - Many Management Group Role Assignments") + +### Single Subscription Role Assignment + +![Bicep Visualizer - Single Subscription Role Assignment](media/bicepVisualizerSub.png "Bicep Visualizer - Single Subscription Role Assignment") + +### Many Subscription Role Assignments + +![Bicep Visualizer - Many Subscription Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Subscription Role Assignments") + +### Single Resource Group Role Assignment + +![Bicep Visualizer - Single Resource Group Role Assignment](media/bicepVisualizerSub.png "Bicep Visualizer - Single Resource Group Role Assignment") + +### Many Resource Group Role Assignments + +![Bicep Visualizer - Many Resource Group Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Resource Group Role Assignments") diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md new file mode 100644 index 00000000..af6de755 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md @@ -0,0 +1,80 @@ +# ALZ Bicep - Role Assignment to a Management Group + +Module used to assign a role to Management Group + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parRoleAssignmentNameGuid + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A GUID representing the role assignment name. + +- Default value: `[guid(managementGroup().name, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.json" + }, + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "[guid(managementGroup().name, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]" + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md new file mode 100644 index 00000000..1eb63f05 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md @@ -0,0 +1,78 @@ +# ALZ Bicep - Role Assignment to Management Groups + +Module used to assign a Role Assignment to multiple Management Groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parManagementGroupIds | No | A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]). +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parManagementGroupIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]). + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.json" + }, + "parameters": { + "parManagementGroupIds": { + "value": [] + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md new file mode 100644 index 00000000..a317f14e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md @@ -0,0 +1,80 @@ +# ALZ Bicep - Role Assignment to a Resource Group + +Module used to assign a Role Assignment to a Resource Group + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parRoleAssignmentNameGuid + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A GUID representing the role assignment name. + +- Default value: `[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.json" + }, + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]" + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md new file mode 100644 index 00000000..b8925e29 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md @@ -0,0 +1,78 @@ +# ALZ Bicep - Role Assignment to Resource Groups + +Module used to assign a Role Assignment to multiple Resource Groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parResourceGroupIds | No | A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parResourceGroupIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.json" + }, + "parameters": { + "parResourceGroupIds": { + "value": [] + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md new file mode 100644 index 00000000..c92df34e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md @@ -0,0 +1,80 @@ +# ALZ Bicep - Role Assignment to a Subscription + +Module used to assign a Role Assignment to a Subscription + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parRoleAssignmentNameGuid + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A GUID representing the role assignment name. + +- Default value: `[guid(subscription().subscriptionId, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.json" + }, + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "[guid(subscription().subscriptionId, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]" + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md new file mode 100644 index 00000000..c88f1049 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md @@ -0,0 +1,78 @@ +# ALZ Bicep - Role Assignment to Subscriptions + +Module used to assign a Role Assignment to multiple Subscriptions + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSubscriptionIds | No | A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0). +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parSubscriptionIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0). + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.json" + }, + "parameters": { + "parSubscriptionIds": { + "value": [] + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png new file mode 100644 index 00000000..67ff8290 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png differ diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png new file mode 100644 index 00000000..7dc7d434 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png differ diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png new file mode 100644 index 00000000..67ff8290 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png differ diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png new file mode 100644 index 00000000..971a3040 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png differ diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json new file mode 100644 index 00000000..12c90c3d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json new file mode 100644 index 00000000..4501e72e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json new file mode 100644 index 00000000..8851ff75 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json new file mode 100644 index 00000000..bc5415eb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json new file mode 100644 index 00000000..12c90c3d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json new file mode 100644 index 00000000..4501e72e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json new file mode 100644 index 00000000..1e52c0bd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json new file mode 100644 index 00000000..1e52c0bd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json new file mode 100644 index 00000000..11fd45b4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json new file mode 100644 index 00000000..11fd45b4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json new file mode 100644 index 00000000..1e52c0bd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json new file mode 100644 index 00000000..1e52c0bd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parManagementGroupIds": { + "value": [ + "alz-platform-connectivity", + "alz-platform-identity" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json new file mode 100644 index 00000000..391a338c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.min.json new file mode 100644 index 00000000..1fabe927 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json new file mode 100644 index 00000000..c5d868fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.min.json new file mode 100644 index 00000000..084bb341 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json new file mode 100644 index 00000000..391a338c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.min.json new file mode 100644 index 00000000..1fabe927 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json new file mode 100644 index 00000000..b710c399 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parResourceGroupIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.min.json new file mode 100644 index 00000000..b710c399 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parResourceGroupIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json new file mode 100644 index 00000000..84825a5f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parResourceGroupIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.min.json new file mode 100644 index 00000000..84825a5f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parResourceGroupIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json new file mode 100644 index 00000000..b710c399 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parResourceGroupIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.min.json new file mode 100644 index 00000000..b710c399 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parResourceGroupIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json new file mode 100644 index 00000000..12c90c3d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json new file mode 100644 index 00000000..4501e72e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json new file mode 100644 index 00000000..8851ff75 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json new file mode 100644 index 00000000..bc5415eb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json new file mode 100644 index 00000000..12c90c3d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json new file mode 100644 index 00000000..4501e72e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json new file mode 100644 index 00000000..bae22200 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json new file mode 100644 index 00000000..bae22200 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json new file mode 100644 index 00000000..034a798b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json new file mode 100644 index 00000000..034a798b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json new file mode 100644 index 00000000..bae22200 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json new file mode 100644 index 00000000..bae22200 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parRoleDefinitionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parAssigneePrincipalType": { + "value": "ServicePrincipal" + }, + "parAssigneeObjectId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep new file mode 100644 index 00000000..49be41b5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep @@ -0,0 +1,42 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Role Assignment to a Management Group' +metadata description = 'Module used to assign a role to Management Group' + +@sys.description('A GUID representing the role assignment name.') +param parRoleAssignmentNameGuid string = guid(managementGroup().name, parRoleDefinitionId, parAssigneeObjectId) + +@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +param parRoleDefinitionId string + +@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@allowed([ + 'Group' + 'ServicePrincipal' +]) +param parAssigneePrincipalType string + +@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +param parAssigneeObjectId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' + +resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: parRoleAssignmentNameGuid + properties: { + roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId) + principalId: parAssigneeObjectId + principalType: parAssigneePrincipalType + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location, parRoleAssignmentNameGuid)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep new file mode 100644 index 00000000..8479cdc1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep @@ -0,0 +1,35 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Role Assignment to Management Groups' +metadata description = 'Module used to assign a Role Assignment to multiple Management Groups' + +@sys.description('A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]).') +param parManagementGroupIds array = [] + +@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +param parRoleDefinitionId string + +@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@allowed([ + 'Group' + 'ServicePrincipal' +]) +param parAssigneePrincipalType string + +@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +param parAssigneeObjectId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +module modRoleAssignment 'roleAssignmentManagementGroup.bicep' = [for parManagementGroupId in parManagementGroupIds: { + name: 'rbac-assign-${uniqueString(parManagementGroupId, parAssigneeObjectId, parRoleDefinitionId)}' + scope: managementGroup(parManagementGroupId) + params: { + parRoleAssignmentNameGuid: guid(parManagementGroupId, parRoleDefinitionId, parAssigneeObjectId) + parAssigneeObjectId: parAssigneeObjectId + parAssigneePrincipalType: parAssigneePrincipalType + parRoleDefinitionId: parRoleDefinitionId + parTelemetryOptOut: parTelemetryOptOut + } +}] diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep new file mode 100644 index 00000000..a849ffa7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep @@ -0,0 +1,40 @@ +metadata name = 'ALZ Bicep - Role Assignment to a Resource Group' +metadata description = 'Module used to assign a Role Assignment to a Resource Group' + +@sys.description('A GUID representing the role assignment name.') +param parRoleAssignmentNameGuid string = guid(resourceGroup().id, parRoleDefinitionId, parAssigneeObjectId) + +@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +param parRoleDefinitionId string + +@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@allowed([ + 'Group' + 'ServicePrincipal' +]) +param parAssigneePrincipalType string + +@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +param parAssigneeObjectId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' + +resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: parRoleAssignmentNameGuid + properties: { + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId) + principalId: parAssigneeObjectId + principalType: parAssigneePrincipalType + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdSubscription.bicep' = if (!parTelemetryOptOut) { + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().id, parAssigneeObjectId)}' + params: {} + scope: subscription() +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep new file mode 100644 index 00000000..46dae5dc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep @@ -0,0 +1,35 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Role Assignment to Resource Groups' +metadata description = 'Module used to assign a Role Assignment to multiple Resource Groups' + +@sys.description('A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01).') +param parResourceGroupIds array = [] + +@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +param parRoleDefinitionId string + +@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@allowed([ + 'Group' + 'ServicePrincipal' +]) +param parAssigneePrincipalType string + +@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +param parAssigneeObjectId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +module modRoleAssignment 'roleAssignmentResourceGroup.bicep' = [for resourceGroupId in parResourceGroupIds: { + name: 'rbac-assign-${uniqueString(resourceGroupId, parAssigneeObjectId, parRoleDefinitionId)}' + scope: resourceGroup(split(resourceGroupId, '/')[0], split(resourceGroupId, '/')[1]) + params: { + parRoleAssignmentNameGuid: guid(resourceGroupId, parRoleDefinitionId, parAssigneeObjectId) + parAssigneeObjectId: parAssigneeObjectId + parAssigneePrincipalType: parAssigneePrincipalType + parRoleDefinitionId: parRoleDefinitionId + parTelemetryOptOut: parTelemetryOptOut + } +}] diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep new file mode 100644 index 00000000..a8b5a4dd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep @@ -0,0 +1,41 @@ +targetScope = 'subscription' + +metadata name = 'ALZ Bicep - Role Assignment to a Subscription' +metadata description = 'Module used to assign a Role Assignment to a Subscription' + +@sys.description('A GUID representing the role assignment name.') +param parRoleAssignmentNameGuid string = guid(subscription().subscriptionId, parRoleDefinitionId, parAssigneeObjectId) + +@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +param parRoleDefinitionId string + +@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@allowed([ + 'Group' + 'ServicePrincipal' +]) +param parAssigneePrincipalType string + +@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +param parAssigneeObjectId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '59c2ac61-cd36-413b-b999-86a3e0d958fb' + +resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: parRoleAssignmentNameGuid + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parRoleDefinitionId) + principalId: parAssigneeObjectId + principalType: parAssigneePrincipalType + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdSubscription.bicep' = if (!parTelemetryOptOut) { + name: 'pid-${varCuaid}-${uniqueString(subscription().subscriptionId, parAssigneeObjectId)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep new file mode 100644 index 00000000..3da103f0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep @@ -0,0 +1,35 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Role Assignment to Subscriptions' +metadata description = 'Module used to assign a Role Assignment to multiple Subscriptions' + +@sys.description('A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0).') +param parSubscriptionIds array = [] + +@sys.description('Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7)') +param parRoleDefinitionId string + +@sys.description('Principal type of the assignee. Allowed values are \'Group\' (Security Group) or \'ServicePrincipal\' (Service Principal or System/User Assigned Managed Identity)') +@allowed([ + 'Group' + 'ServicePrincipal' +]) +param parAssigneePrincipalType string + +@sys.description('Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID') +param parAssigneeObjectId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +module modRoleAssignment 'roleAssignmentSubscription.bicep' = [for subscriptionId in parSubscriptionIds: { + name: 'rbac-assign-${uniqueString(subscriptionId, parAssigneeObjectId, parRoleDefinitionId)}' + scope: subscription(subscriptionId) + params: { + parRoleAssignmentNameGuid: guid(subscriptionId, parRoleDefinitionId, parAssigneeObjectId) + parAssigneeObjectId: parAssigneeObjectId + parAssigneePrincipalType: parAssigneePrincipalType + parRoleDefinitionId: parRoleDefinitionId + parTelemetryOptOut: parTelemetryOptOut + } +}] diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep new file mode 100644 index 00000000..c74beafa --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep @@ -0,0 +1,28 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var roleDefinitionId = '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' +var assigneeObjectId = '00000000-0000-0000-0000-000000000000' +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration.') +module baseline_ra '../roleAssignmentManagementGroup.bicep' = { + name: 'baseline_ra' + params: { + parRoleDefinitionId: roleDefinitionId + parAssigneePrincipalType: 'Group' + parAssigneeObjectId: assigneeObjectId + parTelemetryOptOut: true + parRoleAssignmentNameGuid: guid(managementGroup().name, roleDefinitionId, assigneeObjectId) + } +} diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..2218747d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..b690af81 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep new file mode 100644 index 00000000..375777b7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep @@ -0,0 +1,26 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module ra_mg'../roleAssignmentManagementGroup.bicep' = { + name: 'ra_mg' + params: { + parRoleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + parAssigneePrincipalType: 'Group' + parAssigneeObjectId: '00000000-0000-0000-0000-000000000000' + } +} diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/README.md b/dependencies/infra-as-code/bicep/modules/spokeNetworking/README.md new file mode 100644 index 00000000..83fbc334 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/README.md @@ -0,0 +1,160 @@ +# Module: Spoke Networking + +This module defines spoke networking based on the recommendations from the Azure Landing Zone Conceptual Architecture. If enabled spoke will route traffic to Hub Network with NVA. + +Module deploys the following resources: + +- Virtual Network (Spoke VNet) +- Route Table with route to NVA - if Firewall is enabled + +> ## Note +> +> ### Orchestration +> +> Consider using the `hubPeeredSpoke` orchestration module instead to simplify spoke networking deployment, VNET Peering, UDR configuration and Subscription placement in a single module. [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke) +> +> ### Subnet Declaration +> +> This module only deploys the skeleton of a virtual network. Subnet(s) are not created nor does this module support declaring them. This is a blank vNet with the expectation of handing it over to the app/workload team to create their subnet(s), etc. The ALZ-Bicep core team decided not to add subnet support due to: +> +> - Complexity of managing all of the subnet properties, including NSG, UDR, service endpoints, subnet delegations, etc. +> - Intellisense will be a challenge as we'll be using an array of objects to define the subnet properties +> - Feature parity with ALZ Azure Portal and Terraform experience +> - Future updates to the virtual network resource provider could change the way we manage subnets as a child and/or a separate resource object. All to say this future change could make it easier to manage a subnet declaration within this module +> +> To customize spoke networking to include subnet declarations, we recommend the use of the following ordered methods: +> +> 1. [CARML](https://aka.ms/carml) - Utilize this mature Bicep repo for resource deployments +> 2. [Fork](https://docs.github.com/en/get-started/quickstart/fork-a-repo) this repo and customize the modules accordingly +> 3. Write your own custom module + +## Parameters + +- [Link to Parameters](generateddocs/spokeNetworking.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| --------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------- | +| outSpokeVirtualNetworkName | string | Corp-Spoke-eastus | +| outSpokeVirtualNetworkId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxx/resourceGroups/net-core-hub-eastus-rg/providers/Microsoft.Network/virtualNetworks/vnet-hub-eastus | + +## Deployment + +This module is intended to be called from other modules as a reusable resource, but an example on how to deploy has been added below for completeness. + +In this example, the spoke resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the spoke resources should be deployed into the Landing Zones subscriptions. During the deployment step, we will take the parameters provided in the example parameter files. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +# Set Azure Landing zone subscription ID as the the current subscription +LandingZoneSubscriptionId="[your landing zone subscription ID]" + +az account set --subscription $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SpokeNetworkingDeployment-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-spoke-networking-001" +TEMPLATEFILE="infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep" +PARAMETERS="@infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location eastus + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +LandingZoneSubscriptionId="[your landing zone subscription ID]" + +az account set --subscription $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SpokeNetworkingDeployment-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-spoke-networking-001" +TEMPLATEFILE="infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep" +PARAMETERS="@infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location chinaeast2 + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +$LandingZoneSubscriptionId = "[your landing zone subscription ID]" + +Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-SpokeNetworkingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-spoke-networking-001" + TemplateParameterFile = "infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json" + TemplateFile = "infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'eastus' + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +$LandingZoneSubscriptionId = "[your landing zone subscription ID]" + +Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-SpokeNetworkingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-spoke-networking-001" + TemplateParameterFile = "infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json" + TemplateFile = "infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'chinaeast2' + +New-AzResourceGroupDeployment @inputObject +``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/generateddocs/spokeNetworking.bicep.md b/dependencies/infra-as-code/bicep/modules/spokeNetworking/generateddocs/spokeNetworking.bicep.md new file mode 100644 index 00000000..fa92ea91 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/generateddocs/spokeNetworking.bicep.md @@ -0,0 +1,143 @@ +# ALZ Bicep - Spoke Networking module + +This module creates spoke networking resources + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The Azure Region to deploy the resources into. +parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagation on route table. +parDdosProtectionPlanId | No | Id of the DdosProtectionPlan which will be applied to the Virtual Network. +parSpokeNetworkAddressPrefix | No | The IP address range for all virtual networks to use. +parSpokeNetworkName | No | The Name of the Spoke Virtual Network. +parDnsServerIps | No | Array of DNS Server IP addresses for VNet. +parNextHopIpAddress | No | IP Address where network traffic should route to leveraged with DNS Proxy. +parSpokeToHubRouteTableName | No | Name of Route table to create for the default route of Hub. +parTags | No | Tags you would like to be applied to all resources in this module. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. + +- Default value: `[resourceGroup().location]` + +### parDisableBgpRoutePropagation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable BGP Propagation on route table. + +- Default value: `False` + +### parDdosProtectionPlanId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Id of the DdosProtectionPlan which will be applied to the Virtual Network. + +### parSpokeNetworkAddressPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The IP address range for all virtual networks to use. + +- Default value: `10.11.0.0/16` + +### parSpokeNetworkName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Name of the Spoke Virtual Network. + +- Default value: `vnet-spoke` + +### parDnsServerIps + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Server IP addresses for VNet. + +### parNextHopIpAddress + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +IP Address where network traffic should route to leveraged with DNS Proxy. + +### parSpokeToHubRouteTableName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of Route table to create for the default route of Hub. + +- Default value: `rtb-spoke-to-hub` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outSpokeVirtualNetworkName | string | +outSpokeVirtualNetworkId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.11.0.0/16" + }, + "parSpokeNetworkName": { + "value": "vnet-spoke" + }, + "parDnsServerIps": { + "value": [] + }, + "parNextHopIpAddress": { + "value": "" + }, + "parSpokeToHubRouteTableName": { + "value": "rtb-spoke-to-hub" + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/spokeNetworking/media/bicepVisualizer.png new file mode 100644 index 00000000..15bb67e7 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/spokeNetworking/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..a5f04f62 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json new file mode 100644 index 00000000..112b11a0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.11.0.0/16" + }, + "parSpokeNetworkName": { + "value": "vnet-spoke" + }, + "parDnsServerIps": { + "value": [] + }, + "parNextHopIpAddress": { + "value": "" + }, + "parSpokeToHubRouteTableName": { + "value": "rtb-spoke-to-hub" + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json new file mode 100644 index 00000000..a6a79350 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parDisableBgpRoutePropagation": { + "value": false + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.11.0.0/16" + }, + "parDnsServerIps": { + "value": [] + }, + "parNextHopIpAddress": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep new file mode 100644 index 00000000..84cbb6f5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep @@ -0,0 +1,41 @@ + +// +// baseline deployment sample +// + +// Use this sample to deploy the baseline resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('Specifies the location for resources.') +param location string = 'eastus' +// --------- +// RESOURCES +// --------- + +@description('baseline resource configuration.') +module spoke_nw '../spokeNetworking.bicep' = { + name: 'spoke_nw' + params: { + parLocation: location + parDisableBgpRoutePropagation: false + parSpokeNetworkAddressPrefix: '10.1.0.0/16' + parSpokeNetworkName: 'spoke' + parDdosProtectionPlanId: 'ddosProtectionPlanId' + parSpokeToHubRouteTableName: 'spokeToHubRouteTable' + parTelemetryOptOut: false + parTags: { + Environment: 'Dev' + CostCenter: 'IT' + } + parDnsServerIps: [ + '10.1.1.100' + '10.1.1.101' + ] + parNextHopIpAddress: '10.1.0.10' + + } +} diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..e094672b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | Specifies the location for resources. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Specifies the location for resources. + +- Default value: `eastus` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.json" + }, + "parameters": { + "location": { + "value": "eastus" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..5f13a47a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | Specifies the location for resources. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Specifies the location for resources. + +- Default value: `eastus` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "eastus" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep new file mode 100644 index 00000000..114a2d1a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep @@ -0,0 +1,34 @@ + + +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +@description('Specifies the location for resources.') +param location string = 'eastus' +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module spoke_nw '../spokeNetworking.bicep' = { + name: 'spoke_nw' + params: { + parLocation: location + parDdosProtectionPlanId: 'ddosProtectionPlanId' + parSpokeNetworkAddressPrefix: '10.1.0.0/16' + parDnsServerIps: [ + '10.1.1.100' + '10.1.1.101' + ] + parNextHopIpAddress: '10.10.10.10' + + } +} diff --git a/dependencies/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep b/dependencies/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep new file mode 100644 index 00000000..67946db5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep @@ -0,0 +1,85 @@ +metadata name = 'ALZ Bicep - Spoke Networking module' +metadata description = 'This module creates spoke networking resources' + +@sys.description('The Azure Region to deploy the resources into.') +param parLocation string = resourceGroup().location + +@sys.description('Switch to enable/disable BGP Propagation on route table.') +param parDisableBgpRoutePropagation bool = false + +@sys.description('Id of the DdosProtectionPlan which will be applied to the Virtual Network.') +param parDdosProtectionPlanId string = '' + +@sys.description('The IP address range for all virtual networks to use.') +param parSpokeNetworkAddressPrefix string = '10.11.0.0/16' + +@sys.description('The Name of the Spoke Virtual Network.') +param parSpokeNetworkName string = 'vnet-spoke' + +@sys.description('Array of DNS Server IP addresses for VNet.') +param parDnsServerIps array = [] + +@sys.description('IP Address where network traffic should route to leveraged with DNS Proxy.') +param parNextHopIpAddress string = '' + +@sys.description('Name of Route table to create for the default route of Hub.') +param parSpokeToHubRouteTableName string = 'rtb-spoke-to-hub' + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '0c428583-f2a1-4448-975c-2d6262fd193a' + +//If Ddos parameter is true Ddos will be Enabled on the Virtual Network +//If Azure Firewall is enabled and Network DNS Proxy is enabled DNS will be configured to point to AzureFirewall +resource resSpokeVirtualNetwork 'Microsoft.Network/virtualNetworks@2023-02-01' = { + name: parSpokeNetworkName + location: parLocation + tags: parTags + properties: { + addressSpace: { + addressPrefixes: [ + parSpokeNetworkAddressPrefix + ] + } + enableDdosProtection: (!empty(parDdosProtectionPlanId) ? true : false) + ddosProtectionPlan: (!empty(parDdosProtectionPlanId) ? true : false) ? { + id: parDdosProtectionPlanId + } : null + dhcpOptions: (!empty(parDnsServerIps) ? true : false) ? { + dnsServers: parDnsServerIps + } : null + } +} + +resource resSpokeToHubRouteTable 'Microsoft.Network/routeTables@2023-02-01' = if (!empty(parNextHopIpAddress)) { + name: parSpokeToHubRouteTableName + location: parLocation + tags: parTags + properties: { + routes: [ + { + name: 'udr-default-to-hub-nva' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopType: 'VirtualAppliance' + nextHopIpAddress: parNextHopIpAddress + } + } + ] + disableBgpRoutePropagation: parDisableBgpRoutePropagation + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().id)}' + params: {} +} + +output outSpokeVirtualNetworkName string = resSpokeVirtualNetwork.name +output outSpokeVirtualNetworkId string = resSpokeVirtualNetwork.id diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/README.md b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/README.md new file mode 100644 index 00000000..ae04528b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/README.md @@ -0,0 +1,80 @@ +# Module: Subscription Placement + +This module moves one or more subscriptions to be a child of the specified management group. Once the subscription(s) are moved under the management group, Azure Policies assigned to the management group or its parent management group(s) will begin to govern the subscription(s). + +> Consider using the `subPlacementAll` orchestration module instead to simplify Subscription placement across your entire Management Group hierarchy in a single module. [infra-as-code/bicep/orchestration/subPlacementAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll) + +## Parameters + +- [Link to Parameters](generateddocs/subscriptionPlacement.bicep.md) + +## Outputs + +*This module does not produce any outputs.* + +## Deployment + +In this example, the subscription `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` will be moved to `alz-platform-connectivity` management group. The inputs for this module are defined in `parameters/subscriptionPlacement.parameters.all.json`. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SubscriptionPlacementDeployment-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep" +PARAMETERS="@infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SubscriptionPlacementDeployment-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep" +PARAMETERS="@infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-SubscriptionPlacementDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-SubscriptionPlacementDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json' +} +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/generateddocs/subscriptionPlacement.bicep.md b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/generateddocs/subscriptionPlacement.bicep.md new file mode 100644 index 00000000..e2757378 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/generateddocs/subscriptionPlacement.bicep.md @@ -0,0 +1,56 @@ +# ALZ Bicep - Subscription Placement module + +Module used to place subscriptions in management groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSubscriptionIds | No | Array of Subscription Ids that should be moved to the new management group. +parTargetManagementGroupId | Yes | Target management group for the subscription. This management group must exist. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parSubscriptionIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of Subscription Ids that should be moved to the new management group. + +### parTargetManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Target management group for the subscription. This management group must exist. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.json" + }, + "parameters": { + "parSubscriptionIds": { + "value": [] + }, + "parTargetManagementGroupId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/media/bicepVisualizer.png new file mode 100644 index 00000000..ea41938e Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json new file mode 100644 index 00000000..2ed01fb8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json @@ -0,0 +1,17 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTargetManagementGroupId": { + "value": "alz-platform-connectivity" + }, + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json new file mode 100644 index 00000000..2ed01fb8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json @@ -0,0 +1,17 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTargetManagementGroupId": { + "value": "alz-platform-connectivity" + }, + "parSubscriptionIds": { + "value": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep new file mode 100644 index 00000000..8a30d722 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep @@ -0,0 +1,28 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration.') +module sub_placement '../subscriptionPlacement.bicep' = { + name: 'sub_placement' + params: { + parSubscriptionIds: [ + '00000000-0000-0000-0000-000000000000' + '11111111-1111-1111-1111-111111111111' + ] + parTelemetryOptOut: true + parTargetManagementGroupId: '22222222-2222-2222-2222-222222222222' + } +} diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..fe968765 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..4767d929 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep new file mode 100644 index 00000000..193b3820 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep @@ -0,0 +1,27 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration.') +module sub_placement '../subscriptionPlacement.bicep' = { + name: 'sub_placement' + params: { + parSubscriptionIds: [ + '00000000-0000-0000-0000-000000000000' + '11111111-1111-1111-1111-111111111111' + ] + parTargetManagementGroupId: '22222222-2222-2222-2222-222222222222' + } +} diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep new file mode 100644 index 00000000..05afee52 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep @@ -0,0 +1,28 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Subscription Placement module' +metadata description = 'Module used to place subscriptions in management groups' + +@sys.description('Array of Subscription Ids that should be moved to the new management group.') +param parSubscriptionIds array = [] + +@sys.description('Target management group for the subscription. This management group must exist.') +param parTargetManagementGroupId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '3dfa9e81-f0cf-4b25-858e-167937fd380b' + +resource resSubscriptionPlacement 'Microsoft.Management/managementGroups/subscriptions@2023-04-01' = [for subscriptionId in parSubscriptionIds: { + scope: tenant() + name: '${parTargetManagementGroupId}/${subscriptionId}' +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/README.md b/dependencies/infra-as-code/bicep/modules/vnetPeering/README.md new file mode 100644 index 00000000..112be81a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/README.md @@ -0,0 +1,149 @@ +# Module: VNet Peering + +This module creates a virtual network peering connection between two virtual networks and is to be utilized by other modules. Module will need to be called twice to create the completed peering. Each time with a peering direction. This allows for peering between different subscriptions. + +**Peering Options Documentation:** + +- [https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering) +- [https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#create-a-peering](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#create-a-peering) + +Module deploys the following resources: + +- Virtual Network Peering + +> Consider using the `hubPeeredSpoke` orchestration module instead to simplify spoke networking deployment, VNET Peering, UDR configuration and Subscription placement in a single module. [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke) + +## Parameters + +- [Link to Parameters](generateddocs/vnetPeering.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------ | ---- | ------- | + +## Deployment + +In this example, the remote spoke VNet will be peered with the Hub VNet in the Connectivity subscription. + +> Note that the example configures the peering only one way, to complete the peering you will need to repeat the process with a separate parameter file with reverse parameters. + +During the deployment step, we will take parameters provided in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------- | ---------------------------------------- | + | All regions | vnetPeering.bicep | parameters/vnetPeering.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +**NOTE: As there is some PowerShell code within the CLI, there is a requirement to execute the deployments in a cross-platform terminal which has PowerShell installed.** +```bash +# For Azure global regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +LandingZoneSubscriptionId="[your Landing Zone subscription ID]" +az account set --subscription $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-vnetPeeringDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-vnet-peering-001" +TEMPLATEFILE="infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep" +PARAMETERS="@infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location eastus + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +LandingZoneSubscriptionId="[your Landing Zone subscription ID]" +az account set --subscription $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-vnetPeeringDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-vnet-peering-001" +TEMPLATEFILE="infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep" +PARAMETERS="@infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location chinaeast2 + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$LandingZoneSubscriptionId = "[your Landing Zone subscription ID]" + +Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Create Resource Group - optional when using an existing resource group +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location eastus + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-vnetPeeringDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-vnet-peering-001" + TemplateFile = "ALZ-Bicep/infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json" +} + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$LandingZoneSubscriptionId = "[your Landing Zone subscription ID]" + +Select-AzSubscription -SubscriptionId $LandingZoneSubscriptionId + +# Create Resource Group - optional when using an existing resource group +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location chinaeast2 + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-vnetPeeringDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-vnet-peering-001" + TemplateFile = "ALZ-Bicep/infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json" +} + +New-AzResourceGroupDeployment @inputObject +``` + +## Example output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/generateddocs/vnetPeering.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeering/generateddocs/vnetPeering.bicep.md new file mode 100644 index 00000000..909854c7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/generateddocs/vnetPeering.bicep.md @@ -0,0 +1,114 @@ +# ALZ Bicep - Virtual Network Peering module + +Module used to set up Virtual Network Peering between Virtual Networks + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parDestinationVirtualNetworkId | Yes | Virtual Network ID of Virtual Network destination. +parSourceVirtualNetworkName | Yes | Name of source Virtual Network we are peering. +parDestinationVirtualNetworkName | Yes | Name of destination virtual network we are peering. +parAllowVirtualNetworkAccess | No | Switch to enable/disable Virtual Network Access for the Network Peer. +parAllowForwardedTraffic | No | Switch to enable/disable forwarded traffic for the Network Peer. +parAllowGatewayTransit | No | Switch to enable/disable gateway transit for the Network Peer. +parUseRemoteGateways | No | Switch to enable/disable remote gateway for the Network Peer. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parDestinationVirtualNetworkId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Virtual Network ID of Virtual Network destination. + +### parSourceVirtualNetworkName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Name of source Virtual Network we are peering. + +### parDestinationVirtualNetworkName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Name of destination virtual network we are peering. + +### parAllowVirtualNetworkAccess + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Virtual Network Access for the Network Peer. + +- Default value: `True` + +### parAllowForwardedTraffic + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable forwarded traffic for the Network Peer. + +- Default value: `True` + +### parAllowGatewayTransit + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable gateway transit for the Network Peer. + +- Default value: `False` + +### parUseRemoteGateways + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable remote gateway for the Network Peer. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeering/vnetPeering.json" + }, + "parameters": { + "parDestinationVirtualNetworkId": { + "value": "" + }, + "parSourceVirtualNetworkName": { + "value": "" + }, + "parDestinationVirtualNetworkName": { + "value": "" + }, + "parAllowVirtualNetworkAccess": { + "value": true + }, + "parAllowForwardedTraffic": { + "value": true + }, + "parAllowGatewayTransit": { + "value": false + }, + "parUseRemoteGateways": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/vnetPeering/media/bicepVisualizer.png new file mode 100644 index 00000000..7ae162d2 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vnetPeering/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..e10148bc Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json b/dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json new file mode 100644 index 00000000..90e26b48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parDestinationVirtualNetworkId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parSourceVirtualNetworkName": { + "value": "vnet-spoke" + }, + "parDestinationVirtualNetworkName": { + "value": "alz-hub-eastus" + }, + "parAllowVirtualNetworkAccess": { + "value": true + }, + "parAllowForwardedTraffic": { + "value": true + }, + "parAllowGatewayTransit": { + "value": false + }, + "parUseRemoteGateways": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json b/dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json new file mode 100644 index 00000000..90e26b48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parDestinationVirtualNetworkId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parSourceVirtualNetworkName": { + "value": "vnet-spoke" + }, + "parDestinationVirtualNetworkName": { + "value": "alz-hub-eastus" + }, + "parAllowVirtualNetworkAccess": { + "value": true + }, + "parAllowForwardedTraffic": { + "value": true + }, + "parAllowGatewayTransit": { + "value": false + }, + "parUseRemoteGateways": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep new file mode 100644 index 00000000..994bd420 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep @@ -0,0 +1,30 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module baseline_vnet_peering '../vnetPeering.bicep' = { + name: 'baseline_vnet_peering' + params: { + parDestinationVirtualNetworkId: '/subscriptions/xxxxx-xxxx-xxxx-xx-xxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' + parDestinationVirtualNetworkName: '' + parSourceVirtualNetworkName: '' + parAllowVirtualNetworkAccess: true + parAllowForwardedTraffic: true + parAllowGatewayTransit: false + parUseRemoteGateways: false + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..39868f0e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..06926a40 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep new file mode 100644 index 00000000..c897828d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep @@ -0,0 +1,25 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vnet_peering '../vnetPeering.bicep' = { + name: 'minimum_vnet_peering' + params: { + parDestinationVirtualNetworkId: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' + parDestinationVirtualNetworkName: '' + parSourceVirtualNetworkName: '' + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep new file mode 100644 index 00000000..d27fdb1b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep @@ -0,0 +1,49 @@ +metadata name = 'ALZ Bicep - Virtual Network Peering module' +metadata description = 'Module used to set up Virtual Network Peering between Virtual Networks' + +@sys.description('Virtual Network ID of Virtual Network destination.') +param parDestinationVirtualNetworkId string + +@sys.description('Name of source Virtual Network we are peering.') +param parSourceVirtualNetworkName string + +@sys.description('Name of destination virtual network we are peering.') +param parDestinationVirtualNetworkName string + +@sys.description('Switch to enable/disable Virtual Network Access for the Network Peer.') +param parAllowVirtualNetworkAccess bool = true + +@sys.description('Switch to enable/disable forwarded traffic for the Network Peer.') +param parAllowForwardedTraffic bool = true + +@sys.description('Switch to enable/disable gateway transit for the Network Peer.') +param parAllowGatewayTransit bool = false + +@sys.description('Switch to enable/disable remote gateway for the Network Peer.') +param parUseRemoteGateways bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaId = 'ab8e3b12-b0fa-40aa-8630-e3f7699e2142' + +resource resVirtualNetworkPeer 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-02-01' = { + name: '${parSourceVirtualNetworkName}/peer-to-${parDestinationVirtualNetworkName}' + properties: { + allowVirtualNetworkAccess: parAllowVirtualNetworkAccess + allowForwardedTraffic: parAllowForwardedTraffic + allowGatewayTransit: parAllowGatewayTransit + useRemoteGateways: parUseRemoteGateways + remoteVirtualNetwork: { + id: parDestinationVirtualNetworkId + } + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaId}-${uniqueString(resourceGroup().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/README.md b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/README.md new file mode 100644 index 00000000..b0cb34c0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/README.md @@ -0,0 +1,109 @@ +# Module: VNet Peering with vWAN + +This module is used to perform virtual network peering with the Virtual WAN virtual hub. This network topology is based on the Azure Landing Zone conceptual architecture which can be found [here](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology) and the hub-spoke network topology with Virtual WAN [here](https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture). Once peered, virtual networks exchange traffic by using the Azure backbone network. Virtual WAN enables transitivity among hubs which is not possible solely by using peering. This module draws parity with the Enterprise Scale implementation in the ARM template [here](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/subscriptionTemplates/vnetPeeringVwan.json). + +Module deploys the following resources which can be configured by parameters: + +- Virtual network peering with Virtual WAN virtual hub + +> Consider using the `hubPeeredSpoke` orchestration module instead to simplify spoke networking deployment, VNET Connection to VWAN Hub (Peering), UDR configuration and Subscription placement in a single module. [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke) + +## Parameters + +- [Parameters for Virtual Network Peering from vWAN](generateddocs/vnetPeeringVwan.bicep.md) +- [Parameters for Hub Virtual Network Connectivity from vWAN](generateddocs/hubVirtualNetworkConnection.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outHubVirtualNetworkConnectionName | string | `alz-vhub-eastus/vnet-spoke-vhc` | +| outHubVirtualNetworkConnectionResourceId | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus/hubVirtualNetworkConnections/vnet-spoke-vhc` | + +## Deployment + +In this example, the remote spoke Vnet will be peered with the Vwan Virtual Hub in the Connectivity subscription. During the deployment step, we will take parameters provided in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------- | ---------------------------------------- | + | All regions | vnetPeeringVwan.bicep | parameters/vnetPeeringVwan.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +ConnectivitySubscriptionId="[your Landing Zone subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-vnetPeeringVwanDeployment-${dateYMD}" +LOCATION="eastus" +TEMPLATEFILE="infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep" +PARAMETERS="@infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json" + +az deployment sub create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +ConnectivitySubscriptionId="[your Landing Zone subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-vnetPeeringVwanDeployment-${dateYMD}" +LOCATION="chinaeast2" +TEMPLATEFILE="infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep" +PARAMETERS="@infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json" + +az deployment sub create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your Landing Zone subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +$inputObject = @{ + DeploymentName = 'alz-VnetPeeringWanDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + TemplateFile = "infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json' +} + +New-AzDeployment @inputObject + +``` +OR +```powershell +# For Azure China regions +# Set your Corp Connected Landing Zone subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your Landing Zone subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +$inputObject = @{ + DeploymentName = 'alz-VnetPeeringWanDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + TemplateFile = "infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json' +} + +New-AzDeployment @inputObject +``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/hubVirtualNetworkConnection.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/hubVirtualNetworkConnection.bicep.md new file mode 100644 index 00000000..330ab973 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/hubVirtualNetworkConnection.bicep.md @@ -0,0 +1,85 @@ +# ALZ Bicep - Azure vWAN Hub Virtual Network Peerings + +Module used to set up peering to Virtual Networks from vWAN Hub + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parVirtualWanHubResourceId | Yes | Virtual WAN Hub resource ID. +parRemoteVirtualNetworkResourceId | Yes | Remote Spoke virtual network resource ID. +parVirtualHubConnectionPrefix | No | Optional Virtual Hub Connection Name Prefix. +parVirtualHubConnectionSuffix | No | Optional Virtual Hub Connection Name Suffix. Example: -vhc +parEnableInternetSecurity | No | Enable Internet Security for the Virtual Hub Connection. + +### parVirtualWanHubResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Virtual WAN Hub resource ID. + +### parRemoteVirtualNetworkResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Remote Spoke virtual network resource ID. + +### parVirtualHubConnectionPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Virtual Hub Connection Name Prefix. + +### parVirtualHubConnectionSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Virtual Hub Connection Name Suffix. Example: -vhc + +- Default value: `-vhc` + +### parEnableInternetSecurity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Enable Internet Security for the Virtual Hub Connection. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outHubVirtualNetworkConnectionName | string | +outHubVirtualNetworkConnectionResourceId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.json" + }, + "parameters": { + "parVirtualWanHubResourceId": { + "value": "" + }, + "parRemoteVirtualNetworkResourceId": { + "value": "" + }, + "parVirtualHubConnectionPrefix": { + "value": "" + }, + "parVirtualHubConnectionSuffix": { + "value": "-vhc" + }, + "parEnableInternetSecurity": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/vnetPeeringVwan.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/vnetPeeringVwan.bicep.md new file mode 100644 index 00000000..43d04cbf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/vnetPeeringVwan.bicep.md @@ -0,0 +1,97 @@ +# ALZ Bicep - Virtual Network Peering to vWAN + +Module used to set up Virtual Network Peering from Virtual Network back to vWAN + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parVirtualWanHubResourceId | Yes | Virtual WAN Hub resource ID. +parRemoteVirtualNetworkResourceId | Yes | Remote Spoke virtual network resource ID. +parVirtualHubConnectionPrefix | No | Optional Virtual Hub Connection Name Prefix. +parVirtualHubConnectionSuffix | No | Optional Virtual Hub Connection Name Suffix. Example: -vhc +parEnableInternetSecurity | No | Enable Internet Security for the Virtual Hub Connection. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. Default: false + +### parVirtualWanHubResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Virtual WAN Hub resource ID. + +### parRemoteVirtualNetworkResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Remote Spoke virtual network resource ID. + +### parVirtualHubConnectionPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Virtual Hub Connection Name Prefix. + +### parVirtualHubConnectionSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Virtual Hub Connection Name Suffix. Example: -vhc + +- Default value: `-vhc` + +### parEnableInternetSecurity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Enable Internet Security for the Virtual Hub Connection. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. Default: false + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outHubVirtualNetworkConnectionName | string | +outHubVirtualNetworkConnectionResourceId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.json" + }, + "parameters": { + "parVirtualWanHubResourceId": { + "value": "" + }, + "parRemoteVirtualNetworkResourceId": { + "value": "" + }, + "parVirtualHubConnectionPrefix": { + "value": "" + }, + "parVirtualHubConnectionSuffix": { + "value": "-vhc" + }, + "parEnableInternetSecurity": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep new file mode 100644 index 00000000..d4294af2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep @@ -0,0 +1,36 @@ +metadata name = 'ALZ Bicep - Azure vWAN Hub Virtual Network Peerings' +metadata description = 'Module used to set up peering to Virtual Networks from vWAN Hub' + +@sys.description('Virtual WAN Hub resource ID.') +param parVirtualWanHubResourceId string + +@sys.description('Remote Spoke virtual network resource ID.') +param parRemoteVirtualNetworkResourceId string + +@sys.description('Optional Virtual Hub Connection Name Prefix.') +param parVirtualHubConnectionPrefix string = '' + +@sys.description('Optional Virtual Hub Connection Name Suffix. Example: -vhc') +param parVirtualHubConnectionSuffix string = '-vhc' + +@sys.description('Enable Internet Security for the Virtual Hub Connection.') +param parEnableInternetSecurity bool = false + +var varVwanHubName = split(parVirtualWanHubResourceId, '/')[8] + +var varSpokeVnetName = split(parRemoteVirtualNetworkResourceId, '/')[8] + +var varVnetPeeringVwanName = '${varVwanHubName}/${parVirtualHubConnectionPrefix}${varSpokeVnetName}${parVirtualHubConnectionSuffix}' + +resource resVnetPeeringVwan 'Microsoft.Network/virtualHubs/hubVirtualNetworkConnections@2023-02-01' = if (!empty(parVirtualWanHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) { + name: varVnetPeeringVwanName + properties: { + remoteVirtualNetwork: { + id: parRemoteVirtualNetworkResourceId + } + enableInternetSecurity: parEnableInternetSecurity + } +} + +output outHubVirtualNetworkConnectionName string = resVnetPeeringVwan.name +output outHubVirtualNetworkConnectionResourceId string = resVnetPeeringVwan.id diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png new file mode 100644 index 00000000..3211c79f Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..5cf4f768 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json new file mode 100644 index 00000000..f6055528 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parVirtualWanHubResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus" + }, + "parRemoteVirtualNetworkResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke" + }, + "parVirtualHubConnectionPrefix": { + "value": "" + }, + "parVirtualHubConnectionSuffix": { + "value": "-vhc" + }, + "parEnableInternetSecurity": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json new file mode 100644 index 00000000..a20679aa --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parVirtualWanHubResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus" + }, + "parRemoteVirtualNetworkResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/spokevnet-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep new file mode 100644 index 00000000..1d466b90 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep @@ -0,0 +1,25 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_vwa_vnet_peering '../vnetPeeringVwan.bicep' = { + name: 'baseline_vwa_vnet_peering' + params: { + parVirtualWanHubResourceId: '/subscriptions/xxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vwan/providers/Microsoft.Network/virtualWans/vwan-hub' + parRemoteVirtualNetworkResourceId: '/subscriptions/xxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet-remote' + parTelemetryOptOut: true + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..0329e4a1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..67654bc6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep new file mode 100644 index 00000000..34400a52 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'subscription' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vwa_vnet_peering '../vnetPeeringVwan.bicep' = { + name: 'minimum_vwa_vnet_peering' + params: { + parVirtualWanHubResourceId: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vwan/providers/Microsoft.Network/virtualWans/vwan-hub' + parRemoteVirtualNetworkResourceId: '/subscriptions/xxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet-remote' + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep new file mode 100644 index 00000000..a6124dce --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep @@ -0,0 +1,55 @@ +targetScope = 'subscription' + +metadata name = 'ALZ Bicep - Virtual Network Peering to vWAN' +metadata description = 'Module used to set up Virtual Network Peering from Virtual Network back to vWAN' + +@sys.description('Virtual WAN Hub resource ID.') +param parVirtualWanHubResourceId string + +@sys.description('Remote Spoke virtual network resource ID.') +param parRemoteVirtualNetworkResourceId string + +@sys.description('Optional Virtual Hub Connection Name Prefix.') +param parVirtualHubConnectionPrefix string = '' + +@sys.description('Optional Virtual Hub Connection Name Suffix. Example: -vhc') +param parVirtualHubConnectionSuffix string = '-vhc' + +@sys.description('Enable Internet Security for the Virtual Hub Connection.') +param parEnableInternetSecurity bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry. Default: false') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '7b5e6db2-1e8c-4b01-8eee-e1830073a63d' + +var varVwanSubscriptionId = split(parVirtualWanHubResourceId, '/')[2] + +var varVwanResourceGroup = split(parVirtualWanHubResourceId, '/')[4] + +var varSpokeVnetName = split(parRemoteVirtualNetworkResourceId, '/')[8] + +var varModhubVirtualNetworkConnectionDeploymentName = take('deploy-vnet-peering-vwan-${varSpokeVnetName}', 64) + +// The hubVirtualNetworkConnection resource is implemented as a separate module because the deployment scope could be on a different subscription and resource group +module modhubVirtualNetworkConnection 'hubVirtualNetworkConnection.bicep' = if (!empty(parVirtualWanHubResourceId) && !empty(parRemoteVirtualNetworkResourceId)) { + scope: resourceGroup(varVwanSubscriptionId, varVwanResourceGroup) + name: varModhubVirtualNetworkConnectionDeploymentName + params: { + parVirtualWanHubResourceId: parVirtualWanHubResourceId + parRemoteVirtualNetworkResourceId: parRemoteVirtualNetworkResourceId + parVirtualHubConnectionPrefix: parVirtualHubConnectionPrefix + parVirtualHubConnectionSuffix: parVirtualHubConnectionSuffix + parEnableInternetSecurity: parEnableInternetSecurity + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdSubscription.bicep' = if (!parTelemetryOptOut) { + name: 'pid-${varCuaid}-${uniqueString(subscription().id, varSpokeVnetName)}' + params: {} +} + +output outHubVirtualNetworkConnectionName string = modhubVirtualNetworkConnection.outputs.outHubVirtualNetworkConnectionName +output outHubVirtualNetworkConnectionResourceId string = modhubVirtualNetworkConnection.outputs.outHubVirtualNetworkConnectionResourceId diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/README.md b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/README.md new file mode 100644 index 00000000..0d99c1a6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/README.md @@ -0,0 +1,172 @@ +# Module: Virtual WAN + +This module is used to deploy the Virtual WAN network topology and its components according to the Azure Landing Zone conceptual architecture which can be found [here](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology). This module draws parity with the Enterprise Scale implementation in the ARM template [here](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/subscriptionTemplates/vwan-connectivity.json). + +Module deploys the following resources which can be configured by parameters: + +- Virtual WAN +- Virtual Hub. The virtual hub is a prerequisite to connect to either a VPN Gateway, an ExpressRoute Gateway or an Azure Firewall to the virtual WAN +- VPN Gateway +- ExpressRoute Gateway +- Azure Firewall +- Azure Firewall policy +- DDoS Network Protection Plan +- Private DNS Zones - Details of all the Azure Private DNS zones can be found here --> [https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/vwanConnectivity.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + + +> NOTE: When deploying using the `parameters/vwanConnectivity.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region. Failure to do so will cause these services to be unreachable over private endpoints. +> For example, if deploying to East US the following zone entries: +> - `privatelink.xxxxxx.azmk8s.io` +> - `privatelink.xxxxxx.backup.windowsazure.com` +> - `privatelink.xxxxxx.batch.azure.com` +> +> Will become: +> - `privatelink.eastus.azmk8s.io` +> - `privatelink.eastus.backup.windowsazure.com` +> - `privatelink.eastus.batch.azure.com` + + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| --------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outVirtualWanName | string | alz-vwan-eastus | +| outVirtualWanId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualWans/alz-vwan-eastus | +| outVirtualHubName | string | alz-vhub-eastus | +| outVirtualHubId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/virtualHubs/alz-vhub-eastus | +| outDdosPlanResourceId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-vwan-eastus/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan | +| outPrivateDnsZones | array | `[{"name":"privatelink.azurecr.io","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"},{"name":"privatelink.azurewebsites.net","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"}]` | +| outPrivateDnsZonesNames | array | `["privatelink.azurecr.io", "privatelink.azurewebsites.net"]` | + +## Deployment + +In this example, the resources required for Virtual WAN connectivity will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the Virtual WAN resources should be deployed into the Platform connectivity subscription. During the deployment step, we will take parameters provided in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ---------------------- | ------------------------------------------------- | + | Global regions | vwanConnectivity.bicep | parameters/vwanConnectivity.parameters.all.json | + | China regions | vwanConnectivity.bicep | parameters/mc-vwanConnectivity.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +```bash +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-vwanConnectivityDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-vwan-001" +TEMPLATEFILE="infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep" +PARAMETERS="@infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location eastus + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-vwanConnectivityDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-vwan-001" +TEMPLATEFILE="infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep" +PARAMETERS="@infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location chinaeast2 + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-vwanConnectivityDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-vwan-001" + TemplateFile = "infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json" +} + + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'EastUs' + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-vwanConnectivityDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-vwan-001" + TemplateFile = "infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'chinaeast2' + +New-AzResourceGroupDeployment @inputObject + ``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutputConnectivity.png "Example Deployment Output in Azure global regions") + +![Example Virtual WAN Deployment Output](media/exampleDeploymentOutput.png "Example Virtual WAN Deployment Output in Azure global regions") + +## Example Output in Azure China regions +![Example Deployment Output](media/mc-exampleDeploymentOutputConnectivity.png "Example Deployment Output in Azure China") + +![Example Virtual WAN Deployment Output](media/mc-exampleDeploymentOutput.png "Example Virtual WAN Deployment Output in Azure China") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/bicepconfig.json new file mode 100644 index 00000000..ad3802e9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/bicepconfig.json @@ -0,0 +1,124 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md new file mode 100644 index 00000000..08a1a9e9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md @@ -0,0 +1,409 @@ +# ALZ Bicep - Azure vWAN Connectivity Module + +Module used to set up vWAN Connectivity + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | Region in which the resource group was created. +parCompanyPrefix | No | Prefix value which will be prepended to all resource names. +parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. +parVirtualHubEnabled | No | Switch to enable/disable Virtual Hub deployment. +parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy. +parVirtualWanName | No | Prefix Used for Virtual WAN. +parVirtualWanHubName | No | Prefix Used for Virtual WAN Hub. +parVirtualWanHubs | No | Array Used for multiple Virtual WAN Hubs deployment. Each object in the array represents an individual Virtual WAN Hub configuration. Add/remove additional objects in the array to meet the number of Virtual WAN Hubs required. - `parVpnGatewayEnabled` - Switch to enable/disable VPN Gateway deployment on the respective Virtual WAN Hub. - `parExpressRouteGatewayEnabled` - Switch to enable/disable ExpressRoute Gateway deployment on the respective Virtual WAN Hub. - `parAzFirewallEnabled` - Switch to enable/disable Azure Firewall deployment on the respective Virtual WAN Hub. - `parVirtualHubAddressPrefix` - The IP address range in CIDR notation for the vWAN virtual Hub to use. - `parHubLocation` - The Virtual WAN Hub location. - `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`. - `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50. - `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`. +parVpnGatewayName | No | Prefix Used for VPN Gateway. +parExpressRouteGatewayName | No | Prefix Used for ExpressRoute Gateway. +parAzFirewallName | No | Azure Firewall Name. +parAzFirewallAvailabilityZones | No | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. +parAzFirewallPoliciesName | No | Azure Firewall Policies Name. +parVpnGatewayScaleUnit | No | The scale unit for this VPN Gateway. +parExpressRouteGatewayScaleUnit | No | The scale unit for this ExpressRoute Gateway. +parDdosEnabled | No | Switch to enable/disable DDoS Network Protection deployment. +parDdosPlanName | No | DDoS Plan Name. +parPrivateDnsZonesEnabled | No | Switch to enable/disable Private DNS Zones deployment. +parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS Zones. +parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network. +parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. +parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links +parTags | No | Tags you would like to be applied to all resources in this module. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Region in which the resource group was created. + +- Default value: `[resourceGroup().location]` + +### parCompanyPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix value which will be prepended to all resource names. + +- Default value: `alz` + +### parAzFirewallTier + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Tier associated with the Firewall to deploy. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard`, `Premium` + +### parVirtualHubEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Virtual Hub deployment. + +- Default value: `True` + +### parAzFirewallDnsProxyEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Firewall DNS Proxy. + +- Default value: `True` + +### parVirtualWanName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix Used for Virtual WAN. + +- Default value: `[format('{0}-vwan-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parVirtualWanHubName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix Used for Virtual WAN Hub. + +- Default value: `[format('{0}-vhub', parameters('parCompanyPrefix'))]` + +### parVirtualWanHubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array Used for multiple Virtual WAN Hubs deployment. Each object in the array represents an individual Virtual WAN Hub configuration. Add/remove additional objects in the array to meet the number of Virtual WAN Hubs required. + +- `parVpnGatewayEnabled` - Switch to enable/disable VPN Gateway deployment on the respective Virtual WAN Hub. +- `parExpressRouteGatewayEnabled` - Switch to enable/disable ExpressRoute Gateway deployment on the respective Virtual WAN Hub. +- `parAzFirewallEnabled` - Switch to enable/disable Azure Firewall deployment on the respective Virtual WAN Hub. +- `parVirtualHubAddressPrefix` - The IP address range in CIDR notation for the vWAN virtual Hub to use. +- `parHubLocation` - The Virtual WAN Hub location. +- `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`. +- `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50. +- `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`. + + + +### parVpnGatewayName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix Used for VPN Gateway. + +- Default value: `[format('{0}-vpngw', parameters('parCompanyPrefix'))]` + +### parExpressRouteGatewayName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix Used for ExpressRoute Gateway. + +- Default value: `[format('{0}-ergw', parameters('parCompanyPrefix'))]` + +### parAzFirewallName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Name. + +- Default value: `[format('{0}-fw', parameters('parCompanyPrefix'))]` + +### parAzFirewallAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. + +- Allowed values: `1`, `2`, `3` + +### parAzFirewallPoliciesName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Policies Name. + +- Default value: `[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parVpnGatewayScaleUnit + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The scale unit for this VPN Gateway. + +- Default value: `1` + +### parExpressRouteGatewayScaleUnit + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The scale unit for this ExpressRoute Gateway. + +- Default value: `1` + +### parDdosEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable DDoS Network Protection deployment. + +- Default value: `True` + +### parDdosPlanName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +DDoS Plan Name. + +- Default value: `[format('{0}-ddos-plan', parameters('parCompanyPrefix'))]` + +### parPrivateDnsZonesEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Private DNS Zones deployment. + +- Default value: `True` + +### parPrivateDnsZonesResourceGroup + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource Group Name for Private DNS Zones. + +- Default value: `[resourceGroup().name]` + +### parPrivateDnsZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Zones to provision in Hub Virtual Network. + +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` + +### parPrivateDnsZoneAutoMergeAzureBackupZone + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. + +- Default value: `True` + +### parVirtualNetworkIdToLink + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of VNet for Private DNS Zone VNet Links + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outVirtualWanName | string | +outVirtualWanId | string | +outVirtualHubName | array | +outVirtualHubId | array | +outDdosPlanResourceId | string | +outPrivateDnsZones | array | +outPrivateDnsZonesNames | array | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parVirtualWanName": { + "value": "[format('{0}-vwan-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parVirtualWanHubName": { + "value": "[format('{0}-vhub', parameters('parCompanyPrefix'))]" + }, + "parVirtualWanHubs": { + "value": [ + { + "parVpnGatewayEnabled": true, + "parExpressRouteGatewayEnabled": true, + "parAzFirewallEnabled": true, + "parVirtualHubAddressPrefix": "10.100.0.0/23", + "parHubLocation": "[parameters('parLocation')]", + "parHubRoutingPreference": "ExpressRoute", + "parVirtualRouterAutoScaleConfiguration": 2, + "parVirtualHubRoutingIntentDestinations": [] + } + ] + }, + "parVpnGatewayName": { + "value": "[format('{0}-vpngw', parameters('parCompanyPrefix'))]" + }, + "parExpressRouteGatewayName": { + "value": "[format('{0}-ergw', parameters('parCompanyPrefix'))]" + }, + "parAzFirewallName": { + "value": "[format('{0}-fw', parameters('parCompanyPrefix'))]" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallPoliciesName": { + "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "[format('{0}-ddos-plan', parameters('parCompanyPrefix'))]" + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZonesResourceGroup": { + "value": "[resourceGroup().name]" + }, + "parPrivateDnsZones": { + "value": [ + "[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))]", + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVirtualNetworkIdToLink": { + "value": "" + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png new file mode 100644 index 00000000..a8d0b0e8 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png new file mode 100644 index 00000000..1ea48741 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png new file mode 100644 index 00000000..b4b13491 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png new file mode 100644 index 00000000..59bd2af2 Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png new file mode 100644 index 00000000..c275f8fe Binary files /dev/null and b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png differ diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json new file mode 100644 index 00000000..72c6d091 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json @@ -0,0 +1,118 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parVirtualWanName": { + "value": "alz-vwan-chinaeast2" + }, + "parVirtualWanHubName": { + "value": "alz-vhub" + }, + "parVpnGatewayName": { + "value": "alz-vpngw" + }, + "parExpressRouteGatewayName": { + "value": "alz-ergw" + }, + "parAzFirewallName": { + "value": "alz-fw" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-chinaeast2" + }, + "parVirtualWanHubs": { + "value": [ + { + "parVpnGatewayEnabled": true, + "parExpressRouteGatewayEnabled": true, + "parAzFirewallEnabled": true, + "parVirtualHubAddressPrefix": "10.100.0.0/23", + "parHubLocation": "chinaeast2", + "parHubRoutingPreference": "ExpressRoute", + "parVirtualRouterAutoScaleConfiguration": 2, + "parVirtualHubRoutingIntentDestinations": [] + } + ] + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": false + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json new file mode 100644 index 00000000..bfb71011 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json @@ -0,0 +1,89 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parVirtualWanHubs": { + "value": [ + { + "parVpnGatewayEnabled": true, + "parExpressRouteGatewayEnabled": true, + "parAzFirewallEnabled": true, + "parVirtualHubAddressPrefix": "10.100.0.0/23", + "parHubLocation": "chinaeast2", + "parHubRoutingPreference": "ExpressRoute", + "parVirtualRouterAutoScaleConfiguration": 2, + "parVirtualHubRoutingIntentDestinations": [] + } + ] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json new file mode 100644 index 00000000..d776c3ad --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json @@ -0,0 +1,156 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parVirtualWanName": { + "value": "alz-vwan-eastus" + }, + "parVirtualWanHubName": { + "value": "alz-vhub" + }, + "parVpnGatewayName": { + "value": "alz-vpngw" + }, + "parExpressRouteGatewayName": { + "value": "alz-ergw" + }, + "parAzFirewallName": { + "value": "alz-fw" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-eastus" + }, + "parVirtualWanHubs": { + "value": [ + { + "parVpnGatewayEnabled": true, + "parExpressRouteGatewayEnabled": true, + "parAzFirewallEnabled": true, + "parVirtualHubAddressPrefix": "10.100.0.0/23", + "parHubLocation": "eastus", + "parHubRoutingPreference": "ExpressRoute", + "parVirtualRouterAutoScaleConfiguration": 2, + "parVirtualHubRoutingIntentDestinations": [] + } + ] + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.kusto.windows.net", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus) + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json new file mode 100644 index 00000000..bdfe0344 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parCompanyPrefix": { + "value": "alz" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parVirtualHubEnabled": { + "value": true + }, + "parVirtualWanHubs": { + "value": [ + { + "parVpnGatewayEnabled": true, + "parExpressRouteGatewayEnabled": true, + "parAzFirewallEnabled": true, + "parVirtualHubAddressPrefix": "10.100.0.0/23", + "parHubLocation": "eastus", + "parHubRoutingPreference": "ExpressRoute", + "parVirtualRouterAutoScaleConfiguration": 2, + "parVirtualHubRoutingIntentDestinations": [] + } + ] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parVpnGatewayScaleUnit": { + "value": 1 + }, + "parExpressRouteGatewayScaleUnit": { + "value": 1 + }, + "parDdosEnabled": { + "value": true + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parVirtualNetworkIdToLink": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep new file mode 100644 index 00000000..ebff7ada --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep @@ -0,0 +1,133 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +param parLocation string = 'westus' +var parCompanyPrefix = 'contoso' +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vwan_conn '../vwanConnectivity.bicep' = { + name: 'minimum_vwan_conn' + params: { + parLocation: parLocation + parAzFirewallTier: 'Standard' + parVirtualHubEnabled: true + parVirtualWanHubs:[{ + parVpnGatewayEnabled: true + parExpressRouteGatewayEnabled: true + parAzFirewallEnabled: true + parVirtualHubAddressPrefix: '10.100.0.0/23' + parHubLocation: 'centralus' + parhubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute' + parvirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50 + parVirtualHubRoutingIntentDestinations: [] + }] + parAzFirewallDnsProxyEnabled: true + parVirtualWanName: '${parCompanyPrefix}-vwan-${parLocation}' + parVirtualWanHubName: '${parCompanyPrefix}-vhub' + parVpnGatewayName: '${parCompanyPrefix}-vpngw' + parExpressRouteGatewayName: '${parCompanyPrefix}-ergw' + parAzFirewallName: '${parCompanyPrefix}-fw' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parVirtualNetworkIdToLink: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet' + + parAzFirewallPoliciesName: '${parCompanyPrefix}-azfwpolicy-${parLocation}' + + parVpnGatewayScaleUnit: 1 + + parExpressRouteGatewayScaleUnit: 1 + + parDdosEnabled: true + parDdosPlanName: '${parCompanyPrefix}-ddos-plan' + parPrivateDnsZonesEnabled: true + + parPrivateDnsZonesResourceGroup: resourceGroup().name + parPrivateDnsZones: [ + 'privatelink.${toLower(parLocation)}.azmk8s.io' + 'privatelink.${toLower(parLocation)}.batch.azure.com' + 'privatelink.${toLower(parLocation)}.kusto.windows.net' + 'privatelink.adf.azure.com' + 'privatelink.afs.azure.net' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.analysis.windows.net' + 'privatelink.api.azureml.ms' + 'privatelink.azconfig.io' + 'privatelink.azure-api.net' + 'privatelink.azure-automation.net' + 'privatelink.azurecr.io' + 'privatelink.azure-devices.net' + 'privatelink.azure-devices-provisioning.net' + 'privatelink.azurehdinsight.net' + 'privatelink.azurehealthcareapis.com' + 'privatelink.azurestaticapps.net' + 'privatelink.azuresynapse.net' + 'privatelink.azurewebsites.net' + 'privatelink.batch.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.database.windows.net' + 'privatelink.datafactory.azure.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.dicom.azurehealthcareapis.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.directline.botframework.com' + 'privatelink.documents.azure.com' + 'privatelink.eventgrid.azure.net' + 'privatelink.file.core.windows.net' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.guestconfiguration.azure.com' + 'privatelink.his.arc.azure.com' + 'privatelink.kubernetesconfiguration.azure.com' + 'privatelink.managedhsm.azure.net' + 'privatelink.mariadb.database.azure.com' + 'privatelink.media.azure.net' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.monitor.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.notebooks.azure.net' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.pbidedicated.windows.net' + 'privatelink.postgres.database.azure.com' + 'privatelink.prod.migration.windowsazure.com' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.queue.core.windows.net' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.search.windows.net' + 'privatelink.service.signalr.net' + 'privatelink.servicebus.windows.net' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.sql.azuresynapse.net' + 'privatelink.table.core.windows.net' + 'privatelink.table.cosmos.azure.com' + 'privatelink.tip1.powerquery.microsoft.com' + 'privatelink.token.botframework.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.web.core.windows.net' + 'privatelink.webpubsub.azure.com' + ] + + parTags: { + key1: 'value1' + } + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 00000000..1b4d2f98 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + + + +- Default value: `westus` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.json" + }, + "parameters": { + "parLocation": { + "value": "westus" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 00000000..0b56b579 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + + + +- Default value: `westus` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "westus" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep new file mode 100644 index 00000000..b97cb040 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep @@ -0,0 +1,29 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- +param location string = 'westus' +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_vwan_conn '../vwanConnectivity.bicep' = { + name: 'minimum_vwan_conn' + params: { + parLocation: location + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parVirtualNetworkIdToLink: '/subscriptions/xxxxxxxxx-b761-4132-9ed1-2c90d07c4885/resourceGroups/rg-vnet/providers/Microsoft.Network/virtualNetworks/vnet' + } +} diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep new file mode 100644 index 00000000..6ef93602 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -0,0 +1,372 @@ +metadata name = 'ALZ Bicep - Azure vWAN Connectivity Module' +metadata description = 'Module used to set up vWAN Connectivity' + +@sys.description('Region in which the resource group was created.') +param parLocation string = resourceGroup().location + +@sys.description('Prefix value which will be prepended to all resource names.') +param parCompanyPrefix string = 'alz' + +@sys.description('Azure Firewall Tier associated with the Firewall to deploy.') +@allowed([ + 'Basic' + 'Standard' + 'Premium' +]) +param parAzFirewallTier string = 'Standard' + +@sys.description('Switch to enable/disable Virtual Hub deployment.') +param parVirtualHubEnabled bool = true + +@sys.description('Switch to enable/disable Azure Firewall DNS Proxy.') +param parAzFirewallDnsProxyEnabled bool = true + +@sys.description('Prefix Used for Virtual WAN.') +param parVirtualWanName string = '${parCompanyPrefix}-vwan-${parLocation}' + +@sys.description('Prefix Used for Virtual WAN Hub.') +param parVirtualWanHubName string = '${parCompanyPrefix}-vhub' + +@sys.description('''Array Used for multiple Virtual WAN Hubs deployment. Each object in the array represents an individual Virtual WAN Hub configuration. Add/remove additional objects in the array to meet the number of Virtual WAN Hubs required. + +- `parVpnGatewayEnabled` - Switch to enable/disable VPN Gateway deployment on the respective Virtual WAN Hub. +- `parExpressRouteGatewayEnabled` - Switch to enable/disable ExpressRoute Gateway deployment on the respective Virtual WAN Hub. +- `parAzFirewallEnabled` - Switch to enable/disable Azure Firewall deployment on the respective Virtual WAN Hub. +- `parVirtualHubAddressPrefix` - The IP address range in CIDR notation for the vWAN virtual Hub to use. +- `parHubLocation` - The Virtual WAN Hub location. +- `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`. +- `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50. +- `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`. + +''') +param parVirtualWanHubs array = [ { + parVpnGatewayEnabled: true + parExpressRouteGatewayEnabled: true + parAzFirewallEnabled: true + parVirtualHubAddressPrefix: '10.100.0.0/23' + parHubLocation: parLocation + parHubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute'. + parVirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50 + parVirtualHubRoutingIntentDestinations: [] + } +] + +@sys.description('Prefix Used for VPN Gateway.') +param parVpnGatewayName string = '${parCompanyPrefix}-vpngw' + +@sys.description('Prefix Used for ExpressRoute Gateway.') +param parExpressRouteGatewayName string = '${parCompanyPrefix}-ergw' + +@sys.description('Azure Firewall Name.') +param parAzFirewallName string = '${parCompanyPrefix}-fw' + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.') +param parAzFirewallAvailabilityZones array = [] + +@sys.description('Azure Firewall Policies Name.') +param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' + +@sys.description('The scale unit for this VPN Gateway.') +param parVpnGatewayScaleUnit int = 1 + +@sys.description('The scale unit for this ExpressRoute Gateway.') +param parExpressRouteGatewayScaleUnit int = 1 + +@sys.description('Switch to enable/disable DDoS Network Protection deployment.') +param parDdosEnabled bool = true + +@sys.description('DDoS Plan Name.') +param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan' + +@sys.description('Switch to enable/disable Private DNS Zones deployment.') +param parPrivateDnsZonesEnabled bool = true + +@sys.description('Resource Group Name for Private DNS Zones.') +param parPrivateDnsZonesResourceGroup string = resourceGroup().name + +@sys.description('Array of DNS Zones to provision in Hub Virtual Network.') +param parPrivateDnsZones array = [ + 'privatelink.${toLower(parLocation)}.azmk8s.io' + 'privatelink.${toLower(parLocation)}.batch.azure.com' + 'privatelink.${toLower(parLocation)}.kusto.windows.net' + 'privatelink.adf.azure.com' + 'privatelink.afs.azure.net' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.analysis.windows.net' + 'privatelink.api.azureml.ms' + 'privatelink.azconfig.io' + 'privatelink.azure-api.net' + 'privatelink.azure-automation.net' + 'privatelink.azurecr.io' + 'privatelink.azure-devices.net' + 'privatelink.azure-devices-provisioning.net' + 'privatelink.azurehdinsight.net' + 'privatelink.azurehealthcareapis.com' + 'privatelink.azurestaticapps.net' + 'privatelink.azuresynapse.net' + 'privatelink.azurewebsites.net' + 'privatelink.batch.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.database.windows.net' + 'privatelink.datafactory.azure.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.dicom.azurehealthcareapis.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.directline.botframework.com' + 'privatelink.documents.azure.com' + 'privatelink.eventgrid.azure.net' + 'privatelink.file.core.windows.net' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.guestconfiguration.azure.com' + 'privatelink.his.arc.azure.com' + 'privatelink.kubernetesconfiguration.azure.com' + 'privatelink.managedhsm.azure.net' + 'privatelink.mariadb.database.azure.com' + 'privatelink.media.azure.net' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.monitor.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.notebooks.azure.net' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.pbidedicated.windows.net' + 'privatelink.postgres.database.azure.com' + 'privatelink.prod.migration.windowsazure.com' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.queue.core.windows.net' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.search.windows.net' + 'privatelink.service.signalr.net' + 'privatelink.servicebus.windows.net' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.sql.azuresynapse.net' + 'privatelink.table.core.windows.net' + 'privatelink.table.cosmos.azure.com' + 'privatelink.tip1.powerquery.microsoft.com' + 'privatelink.token.botframework.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.web.core.windows.net' + 'privatelink.webpubsub.azure.com' +] + +@sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.') +param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true + +@sys.description('Resource ID of VNet for Private DNS Zone VNet Links') +param parVirtualNetworkIdToLink string = '' + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id Telemetry +var varCuaid = '7f94f23b-7a59-4a5c-9a8d-2a253a566f61' + +// ZTN Telemetry +var varZtnP1CuaId = '3ab23b1e-c5c5-42d4-b163-1402384ba2db' +var varZtnP1Trigger = (parDdosEnabled && !(contains(map(parVirtualWanHubs, hub => hub.parAzFirewallEnabled), false)) && (parAzFirewallTier == 'Premium')) ? true : false + +// Virtual WAN resource +resource resVwan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: parVirtualWanName + location: parLocation + tags: parTags + properties: { + allowBranchToBranchTraffic: true + allowVnetToVnetTraffic: true + disableVpnEncryption: false + type: 'Standard' + } +} + +resource resVhub 'Microsoft.Network/virtualHubs@2023-04-01' = [for hub in parVirtualWanHubs: if (parVirtualHubEnabled && !empty(hub.parVirtualHubAddressPrefix)) { + name: '${parVirtualWanHubName}-${hub.parHubLocation}' + location: hub.parHubLocation + tags: parTags + properties: { + addressPrefix: hub.parVirtualHubAddressPrefix + sku: 'Standard' + virtualWan: { + id: resVwan.id + } + virtualRouterAutoScaleConfiguration: { + minCapacity: hub.parVirtualRouterAutoScaleConfiguration + } + hubRoutingPreference: hub.parHubRoutingPreference + } +}] + +resource resVhubRouteTable 'Microsoft.Network/virtualHubs/hubRouteTables@2023-04-01' = [for (hub, i) in parVirtualWanHubs: if (parVirtualHubEnabled && hub.parAzFirewallEnabled && empty(hub.parVirtualHubRoutingIntentDestinations)) { + parent: resVhub[i] + name: 'defaultRouteTable' + properties: { + labels: [ + 'default' + ] + routes: [ + { + name: 'default-to-azfw' + destinations: [ + '0.0.0.0/0' + ] + destinationType: 'CIDR' + nextHop: (parVirtualHubEnabled && hub.parAzFirewallEnabled) ? resAzureFirewall[i].id : '' + nextHopType: 'ResourceID' + } + ] + } +}] + +resource resVhubRoutingIntent 'Microsoft.Network/virtualHubs/routingIntent@2023-04-01' = [for (hub, i) in parVirtualWanHubs: if (parVirtualHubEnabled && hub.parAzFirewallEnabled && !empty(hub.parVirtualHubRoutingIntentDestinations)) { + parent: resVhub[i] + name: '${parVirtualWanHubName}-${hub.parHubLocation}-Routing-Intent' + properties: { + routingPolicies: [for destination in hub.parVirtualHubRoutingIntentDestinations: { + name: destination == 'Internet' ? 'PublicTraffic' : destination == 'PrivateTraffic' ? 'PrivateTraffic' : 'N/A' + destinations: [ + destination + ] + nextHop: resAzureFirewall[i].id + }] + } +}] + +resource resVpnGateway 'Microsoft.Network/vpnGateways@2023-02-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parVpnGatewayEnabled)) { + dependsOn: resVhub + name: '${parVpnGatewayName}-${hub.parHubLocation}' + location: hub.parHubLocation + tags: parTags + properties: { + bgpSettings: { + asn: 65515 + bgpPeeringAddress: '' + peerWeight: 5 + } + virtualHub: { + id: resVhub[i].id + } + vpnGatewayScaleUnit: parVpnGatewayScaleUnit + } +}] + +resource resErGateway 'Microsoft.Network/expressRouteGateways@2023-02-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parExpressRouteGatewayEnabled)) { + dependsOn: resVhub + name: '${parExpressRouteGatewayName}-${hub.parHubLocation}' + location: hub.parHubLocation + tags: parTags + properties: { + virtualHub: { + id: resVhub[i].id + } + autoScaleConfiguration: { + bounds: { + min: parExpressRouteGatewayScaleUnit + } + } + } +}] + +resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parVirtualHubEnabled && parVirtualWanHubs[0].parAzFirewallEnabled) { + name: parAzFirewallPoliciesName + location: parLocation + tags: parTags + properties: (parAzFirewallTier == 'Basic') ? { + sku: { + tier: parAzFirewallTier + } + } : { + dnsSettings: { + enableProxy: parAzFirewallDnsProxyEnabled + } + sku: { + tier: parAzFirewallTier + } + } +} + +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2023-02-01' = [for (hub, i) in parVirtualWanHubs: if ((parVirtualHubEnabled) && (hub.parAzFirewallEnabled)) { + name: '${parAzFirewallName}-${hub.parHubLocation}' + location: hub.parHubLocation + tags: parTags + zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : null) + properties: { + hubIPAddresses: { + publicIPs: { + count: 1 + } + } + sku: { + name: 'AZFW_Hub' + tier: parAzFirewallTier + } + virtualHub: { + id: parVirtualHubEnabled ? resVhub[i].id : '' + } + firewallPolicy: { + id: (parVirtualHubEnabled && hub.parAzFirewallEnabled) ? resFirewallPolicies.id : '' + } + } +}] + +// DDoS plan is deployed even though not supported to attach to Virtual WAN today as per https://docs.microsoft.com/azure/firewall-manager/overview#known-issues - However, it can still be linked via policy to spoke VNets etc. +resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-02-01' = if (parDdosEnabled) { + name: parDdosPlanName + location: parLocation + tags: parTags +} + +// Private DNS Zones cannot be linked to the Virtual WAN Hub today however, they can be linked to spokes as they are normal VNets as per https://docs.microsoft.com/azure/virtual-wan/howto-private-link +module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPrivateDnsZonesEnabled) { + name: 'deploy-Private-DNS-Zones' + scope: resourceGroup(parPrivateDnsZonesResourceGroup) + params: { + parLocation: parLocation + parTags: parTags + parPrivateDnsZones: parPrivateDnsZones + parPrivateDnsZoneAutoMergeAzureBackupZone: parPrivateDnsZoneAutoMergeAzureBackupZone + parVirtualNetworkIdToLink: parVirtualNetworkIdToLink + } +} + +// Optional Deployments for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + name: 'pid-${varCuaid}-${uniqueString(parLocation)}' + params: {} +} + +module modCustomerUsageAttributionZtnP1 '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut && varZtnP1Trigger) { + name: 'pid-${varZtnP1CuaId}-${uniqueString(parLocation)}' + params: {} +} + +// Output Virtual WAN name and ID +output outVirtualWanName string = resVwan.name +output outVirtualWanId string = resVwan.id + +// Output Virtual WAN Hub name and ID +output outVirtualHubName array = [for (hub, i) in parVirtualWanHubs: { + virtualhubname: resVhub[i].name + virtualhubid: resVhub[i].id +}] + +output outVirtualHubId array = [for (hub, i) in parVirtualWanHubs: { + virtualhubid: resVhub[i].id +}] +// Output DDoS Plan ID +output outDdosPlanResourceId string = resDdosProtectionPlan.id + +// Output Private DNS Zones +output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) +output outPrivateDnsZonesNames array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZonesNames : []) diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md new file mode 100644 index 00000000..d709648f --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md @@ -0,0 +1,110 @@ +# Module: Orchestration - hubPeeredSpoke - Spoke network, including peering to Hub (Hub & Spoke or Virtual WAN) + +This module acts as an orchestration module that create and configures a spoke network to deliver the Azure Landing Zone Hub & Spoke architecture, for both traditional Hub & Spoke and Virtual WAN, which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow). + +Module deploys the following resources: + +- Subscription placement in Management Group hierarchy - if parPeeredVnetSubscriptionMgPlacement is specified +- Resource group +- Virtual Network (Spoke VNet) +- UDR - if parNextHopIPAddress and resource id of hub virtual network object is specified +- Hub to Spoke peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID +- Spoke to hub peering - if resource id of hub virtual network object is specified in parHubVirtualNetworkID +- Spoke to virtual WAN peering - if resource id of virtual WAN hub object is specified in parHubVirtualNetworkID + +Note that only one peering type can be created with this module, so either traditional Hub & Spoke **OR** Azure virtual WAN. + + +> You can use this module to enable Landing Zones (aka Subscriptions) with platform resources, as defined above, and also place them into the correct location in the hierarchy to meet governance requirements. For example, you can also use this module to deploy the Identity Landing Zone Subscription's vNet and peer it back to the hub vNet. +> +> You could also use it in a [loop](https://learn.microsoft.com/azure/azure-resource-manager/bicep/loops) to enable multiple Landing Zone Subscriptions at a time in a single deployment. + + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/hubPeeredSpoke.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| --------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------- | +| outSpokeVirtualNetworkName | string | `vnet-spoke` | +| outSpokeVirtualNetworkId | string | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxx/resourceGroups/Hub_Networking_POC/providers/Microsoft.Network/virtualNetworks/vnet-spoke` | + +## Deployment + +This module is intended to be called from other modules as a reusable resource, but an example on how to deploy has been added below for completeness. + +In this example, the spoke resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the spoke resources should be deployed into the Landing Zones subscriptions. During the deployment step, we will take the parameters provided in the example parameter files. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-HubPeeredSpoke-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep" +PARAMETERS="@infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-HubPeeredSpoke-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep" +PARAMETERS="@infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-HubPeeredSpoke-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'EastUS' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep" + TemplateParameterFile = 'infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-HubPeeredSpoke-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep" + TemplateParameterFile = 'infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") + + + + + + diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md new file mode 100644 index 00000000..4d20b5ad --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md @@ -0,0 +1,275 @@ +# ALZ Bicep - Orchestration - Hub Peered Spoke + +Orchestration module used to create and configure a spoke network to deliver the Azure Landing Zone Hub & Spoke architecture + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The region to deploy all resources into. +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parPeeredVnetSubscriptionId | No | Subscription Id to the Virtual Network Hub object. Default: Empty String +parTags | No | Array of Tags to be applied to all resources in module. Default: Empty Object +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. +parPeeredVnetSubscriptionMgPlacement | No | The Management Group Id to place the subscription in. Default: Empty String +parResourceGroupNameForSpokeNetworking | No | Name of Resource Group to be created to contain spoke networking resources like the virtual network. +parDdosProtectionPlanId | No | Existing DDoS Protection plan to utilize. Default: Empty string +parPrivateDnsZoneResourceIds | No | The Resource IDs of the Private DNS Zones to associate with spokes. Default: Empty Array +parSpokeNetworkName | No | The Name of the Spoke Virtual Network. +parSpokeNetworkAddressPrefix | No | CIDR for Spoke Network. +parDnsServerIps | No | Array of DNS Server IP addresses for VNet. Default: Empty Array +parNextHopIpAddress | No | IP Address where network traffic should route to. Default: Empty string +parDisableBgpRoutePropagation | No | Switch which allows BGP Route Propogation to be disabled on the route table. +parSpokeToHubRouteTableName | No | Name of Route table to create for the default route of Hub. +parHubVirtualNetworkId | Yes | Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID. +parAllowSpokeForwardedTraffic | No | Switch to enable/disable forwarded Traffic from outside spoke network. +parAllowHubVpnGatewayTransit | No | Switch to enable/disable VPN Gateway for the hub network peering. +parVirtualHubConnectionPrefix | No | Optional Virtual Hub Connection Name Prefix. +parVirtualHubConnectionSuffix | No | Optional Virtual Hub Connection Name Suffix. Example: -vhc +parEnableInternetSecurity | No | Enable Internet Security for the Virtual Hub Connection. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The region to deploy all resources into. + +- Default value: `[deployment().location]` + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parPeeredVnetSubscriptionId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Subscription Id to the Virtual Network Hub object. Default: Empty String + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of Tags to be applied to all resources in module. Default: Empty Object + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +### parPeeredVnetSubscriptionMgPlacement + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Management Group Id to place the subscription in. Default: Empty String + +### parResourceGroupNameForSpokeNetworking + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of Resource Group to be created to contain spoke networking resources like the virtual network. + +- Default value: `[format('{0}-{1}-spoke-networking', parameters('parTopLevelManagementGroupPrefix'), parameters('parLocation'))]` + +### parDdosProtectionPlanId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Existing DDoS Protection plan to utilize. Default: Empty string + +### parPrivateDnsZoneResourceIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Resource IDs of the Private DNS Zones to associate with spokes. Default: Empty Array + +### parSpokeNetworkName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Name of the Spoke Virtual Network. + +- Default value: `vnet-spoke` + +### parSpokeNetworkAddressPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +CIDR for Spoke Network. + +- Default value: `10.11.0.0/16` + +### parDnsServerIps + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Server IP addresses for VNet. Default: Empty Array + +### parNextHopIpAddress + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +IP Address where network traffic should route to. Default: Empty string + +### parDisableBgpRoutePropagation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch which allows BGP Route Propogation to be disabled on the route table. + +- Default value: `False` + +### parSpokeToHubRouteTableName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of Route table to create for the default route of Hub. + +- Default value: `rtb-spoke-to-hub` + +### parHubVirtualNetworkId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID. + +### parAllowSpokeForwardedTraffic + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable forwarded Traffic from outside spoke network. + +- Default value: `False` + +### parAllowHubVpnGatewayTransit + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable VPN Gateway for the hub network peering. + +- Default value: `False` + +### parVirtualHubConnectionPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Virtual Hub Connection Name Prefix. + +### parVirtualHubConnectionSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Virtual Hub Connection Name Suffix. Example: -vhc + +- Default value: `-vhc` + +### parEnableInternetSecurity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Enable Internet Security for the Virtual Hub Connection. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outSpokeVirtualNetworkName | string | +outSpokeVirtualNetworkId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.json" + }, + "parameters": { + "parLocation": { + "value": "[deployment().location]" + }, + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parPeeredVnetSubscriptionId": { + "value": "" + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + }, + "parPeeredVnetSubscriptionMgPlacement": { + "value": "" + }, + "parResourceGroupNameForSpokeNetworking": { + "value": "[format('{0}-{1}-spoke-networking', parameters('parTopLevelManagementGroupPrefix'), parameters('parLocation'))]" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parPrivateDnsZoneResourceIds": { + "value": [] + }, + "parSpokeNetworkName": { + "value": "vnet-spoke" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.11.0.0/16" + }, + "parDnsServerIps": { + "value": [] + }, + "parNextHopIpAddress": { + "value": "" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parSpokeToHubRouteTableName": { + "value": "rtb-spoke-to-hub" + }, + "parHubVirtualNetworkId": { + "value": "" + }, + "parAllowSpokeForwardedTraffic": { + "value": false + }, + "parAllowHubVpnGatewayTransit": { + "value": false + }, + "parVirtualHubConnectionPrefix": { + "value": "" + }, + "parVirtualHubConnectionSuffix": { + "value": "-vhc" + }, + "parEnableInternetSecurity": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep new file mode 100644 index 00000000..5b5fbadb --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep @@ -0,0 +1,224 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Orchestration - Hub Peered Spoke' +metadata description = 'Orchestration module used to create and configure a spoke network to deliver the Azure Landing Zone Hub & Spoke architecture' + +// **Parameters** +// Generic Parameters - Used in multiple modules +@sys.description('The region to deploy all resources into.') +param parLocation string = deployment().location + +@sys.description('Prefix for the management group hierarchy.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Subscription Id to the Virtual Network Hub object. Default: Empty String') +param parPeeredVnetSubscriptionId string = '' + +@sys.description('Array of Tags to be applied to all resources in module. Default: Empty Object') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Subscription Module Parameters +@sys.description('The Management Group Id to place the subscription in. Default: Empty String') +param parPeeredVnetSubscriptionMgPlacement string = '' + +// Resource Group Module Parameters +@sys.description('Name of Resource Group to be created to contain spoke networking resources like the virtual network.') +param parResourceGroupNameForSpokeNetworking string = '${parTopLevelManagementGroupPrefix}-${parLocation}-spoke-networking' + +// Spoke Networking Module Parameters +@sys.description('Existing DDoS Protection plan to utilize. Default: Empty string') +param parDdosProtectionPlanId string = '' + +@sys.description('The Resource IDs of the Private DNS Zones to associate with spokes. Default: Empty Array') +param parPrivateDnsZoneResourceIds array = [] + +@sys.description('The Name of the Spoke Virtual Network.') +param parSpokeNetworkName string = 'vnet-spoke' + +@sys.description('CIDR for Spoke Network.') +param parSpokeNetworkAddressPrefix string = '10.11.0.0/16' + +@sys.description('Array of DNS Server IP addresses for VNet. Default: Empty Array') +param parDnsServerIps array = [] + +@sys.description('IP Address where network traffic should route to. Default: Empty string') +param parNextHopIpAddress string = '' + +@sys.description('Switch which allows BGP Route Propogation to be disabled on the route table.') +param parDisableBgpRoutePropagation bool = false + +@sys.description('Name of Route table to create for the default route of Hub.') +param parSpokeToHubRouteTableName string = 'rtb-spoke-to-hub' + +// Peering Modules Parameters +@sys.description('Virtual Network ID of Hub Virtual Network, or Azure Virtuel WAN hub ID.') +param parHubVirtualNetworkId string + +@sys.description('Switch to enable/disable forwarded Traffic from outside spoke network.') +param parAllowSpokeForwardedTraffic bool = false + +@sys.description('Switch to enable/disable VPN Gateway for the hub network peering.') +param parAllowHubVpnGatewayTransit bool = false + +// VWAN Module Parameters + +@sys.description('Optional Virtual Hub Connection Name Prefix.') +param parVirtualHubConnectionPrefix string = '' + +@sys.description('Optional Virtual Hub Connection Name Suffix. Example: -vhc') +param parVirtualHubConnectionSuffix string = '-vhc' + +@sys.description('Enable Internet Security for the Virtual Hub Connection.') +param parEnableInternetSecurity bool = false + +// **Variables** +// Customer Usage Attribution Id +var varCuaid = '8ea6f19a-d698-4c00-9afb-5c92d4766fd2' + +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: 'ALZBicep' + baseSuffixManagementGroup: '${parLocation}-${uniqueString(parLocation, parTopLevelManagementGroupPrefix)}-mg' + baseSuffixSubscription: '${parLocation}-${uniqueString(parLocation, parTopLevelManagementGroupPrefix)}-sub' + baseSuffixResourceGroup: '${parLocation}-${uniqueString(parLocation, parTopLevelManagementGroupPrefix)}-rg' +} + +var varModuleDeploymentNames = { + modSubscriptionPlacement: take('${varDeploymentNameWrappers.basePrefix}-modSubscriptionPlacement-${parPeeredVnetSubscriptionMgPlacement}-${varDeploymentNameWrappers.baseSuffixManagementGroup}', 64) + modResourceGroup: take('${varDeploymentNameWrappers.basePrefix}-modResourceGroup-${varDeploymentNameWrappers.baseSuffixSubscription}', 64) + modSpokeNetworking: take('${varDeploymentNameWrappers.basePrefix}-modSpokeNetworking-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61) + modSpokePeeringToHub: take('${varDeploymentNameWrappers.basePrefix}-modVnetPeering-ToHub-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61) + modSpokePeeringFromHub: take('${varDeploymentNameWrappers.basePrefix}-modVnetPeering-FromHub-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61) + modVnetPeeringVwan: take('${varDeploymentNameWrappers.basePrefix}-modVnetPeeringVwan-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61) + modPrivateDnsZoneLinkToSpoke: take('${varDeploymentNameWrappers.basePrefix}-modPDnsLinkToSpoke-${varDeploymentNameWrappers.baseSuffixResourceGroup}', 61) +} + +var varHubVirtualNetworkName = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? split(parHubVirtualNetworkId, '/')[8] : '') + +var varHubVirtualNetworkResourceGroup = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? split(parHubVirtualNetworkId, '/')[4] : '') + +var varHubVirtualNetworkSubscriptionId = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? split(parHubVirtualNetworkId, '/')[2] : '') + +var varNextHopIPAddress = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualNetworks/') ? parNextHopIpAddress : '') + +var varVirtualHubResourceId = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualHubs/') ? parHubVirtualNetworkId : '') + +var varVirtualHubResourceGroup = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualHubs/') ? split(parHubVirtualNetworkId, '/')[4] : '') + +var varVirtualHubSubscriptionId = (!empty(parHubVirtualNetworkId) && contains(parHubVirtualNetworkId, '/providers/Microsoft.Network/virtualHubs/') ? split(parHubVirtualNetworkId, '/')[2] : '') + +// **Modules** +// Module - Customer Usage Attribution - Telemetry +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + scope: managementGroup('${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}') + name: 'pid-${varCuaid}-${uniqueString(parLocation, parPeeredVnetSubscriptionId)}' + params: {} +} + +// Module - Subscription Placement - Management +module modSubscriptionPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parPeeredVnetSubscriptionMgPlacement)) { + scope: managementGroup('${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}') + name: varModuleDeploymentNames.modSubscriptionPlacement + params: { + parTargetManagementGroupId: parPeeredVnetSubscriptionMgPlacement + parSubscriptionIds: [ + parPeeredVnetSubscriptionId + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Resource Group +module modResourceGroup '../../modules/resourceGroup/resourceGroup.bicep' = { + scope: subscription(parPeeredVnetSubscriptionId) + name: varModuleDeploymentNames.modResourceGroup + params: { + parLocation: parLocation + parResourceGroupName: parResourceGroupNameForSpokeNetworking + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Spoke Virtual Network +module modSpokeNetworking '../../modules/spokeNetworking/spokeNetworking.bicep' = { + scope: resourceGroup(parPeeredVnetSubscriptionId, parResourceGroupNameForSpokeNetworking) + name: varModuleDeploymentNames.modSpokeNetworking + dependsOn: [ + modResourceGroup + ] + params: { + parSpokeNetworkName: parSpokeNetworkName + parSpokeNetworkAddressPrefix: parSpokeNetworkAddressPrefix + parDdosProtectionPlanId: parDdosProtectionPlanId + parDnsServerIps: parDnsServerIps + parNextHopIpAddress: varNextHopIPAddress + parSpokeToHubRouteTableName: parSpokeToHubRouteTableName + parDisableBgpRoutePropagation: parDisableBgpRoutePropagation + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + parLocation: parLocation + } +} + +// Module - Private DNS Zone Virtual Network Link to Spoke +module modPrivateDnsZoneLinkToSpoke '../../modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep' = [for zone in parPrivateDnsZoneResourceIds: if (!empty(parPrivateDnsZoneResourceIds)) { + scope: resourceGroup(split(zone, '/')[2], split(zone, '/')[4]) + name: take('${varModuleDeploymentNames.modPrivateDnsZoneLinkToSpoke}-${uniqueString(zone)}', 64) + params: { + parPrivateDnsZoneResourceId: zone + parSpokeVirtualNetworkResourceId: modSpokeNetworking.outputs.outSpokeVirtualNetworkId + } +}] + +// Module - Hub to Spoke peering. +module modHubPeeringToSpoke '../../modules/vnetPeering/vnetPeering.bicep' = if (!empty(varHubVirtualNetworkName)) { + scope: resourceGroup(varHubVirtualNetworkSubscriptionId, varHubVirtualNetworkResourceGroup) + name: varModuleDeploymentNames.modSpokePeeringFromHub + params: { + parDestinationVirtualNetworkId: (!empty(varHubVirtualNetworkName) ? modSpokeNetworking.outputs.outSpokeVirtualNetworkId : '') + parDestinationVirtualNetworkName: (!empty(varHubVirtualNetworkName) ? modSpokeNetworking.outputs.outSpokeVirtualNetworkName : '') + parSourceVirtualNetworkName: varHubVirtualNetworkName + parAllowForwardedTraffic: parAllowSpokeForwardedTraffic + parAllowGatewayTransit: parAllowHubVpnGatewayTransit + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Spoke to Hub peering. +module modSpokePeeringToHub '../../modules/vnetPeering/vnetPeering.bicep' = if (!empty(varHubVirtualNetworkName)) { + scope: resourceGroup(parPeeredVnetSubscriptionId, parResourceGroupNameForSpokeNetworking) + name: varModuleDeploymentNames.modSpokePeeringToHub + params: { + parDestinationVirtualNetworkId: parHubVirtualNetworkId + parDestinationVirtualNetworkName: varHubVirtualNetworkName + parSourceVirtualNetworkName: (!empty(varHubVirtualNetworkName) ? modSpokeNetworking.outputs.outSpokeVirtualNetworkName : '') + parUseRemoteGateways: parAllowHubVpnGatewayTransit + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Spoke to Azure Virtual WAN Hub peering. +module modhubVirtualNetworkConnection '../../modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep' = if (!empty(varVirtualHubResourceId)) { + scope: resourceGroup(varVirtualHubSubscriptionId, varVirtualHubResourceGroup) + name: varModuleDeploymentNames.modVnetPeeringVwan + params: { + parVirtualWanHubResourceId: varVirtualHubResourceId + parRemoteVirtualNetworkResourceId: modSpokeNetworking.outputs.outSpokeVirtualNetworkId + parVirtualHubConnectionPrefix: parVirtualHubConnectionPrefix + parVirtualHubConnectionSuffix: parVirtualHubConnectionSuffix + parEnableInternetSecurity: parEnableInternetSecurity + } +} + +output outSpokeVirtualNetworkName string = modSpokeNetworking.outputs.outSpokeVirtualNetworkName +output outSpokeVirtualNetworkId string = modSpokeNetworking.outputs.outSpokeVirtualNetworkId diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png new file mode 100644 index 00000000..47499622 Binary files /dev/null and b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json new file mode 100644 index 00000000..65328cd3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "westeurope" + }, + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parPeeredVnetSubscriptionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parPeeredVnetSubscriptionMgPlacement": { + "value": "alz-platform-connectivity" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parSpokeNetworkName": { + "value": "vnet-spoke" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.202.0.0/24" + }, + "parDnsServerIps": { + "value": [] + }, + "parPrivateDnsZoneResourceIds":{ + "value": [] + }, + "parNextHopIpAddress": { + "value": "10.20.255.4" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parSpoketoHubRouteTableName": { + "value": "rtb-spoke-to-hub" + }, + "parHubVirtualNetworkId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-westeurope-hub-networking/providers/Microsoft.Network/virtualNetworks/alz-hub-westeurope" + }, + "parAllowSpokeForwardedTraffic": { + "value": false + }, + "parAllowHubVPNGatewayTransit": { + "value": true + }, + "parVirtualHubConnectionPrefix": { + "value": "" + }, + "parVirtualHubConnectionSuffix": { + "value": "-vhc" + }, + "parEnableInternetSecurity": { + "value": false + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json new file mode 100644 index 00000000..0b147eba --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json @@ -0,0 +1,68 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "westeurope" + }, + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parPeeredVnetSubscriptionId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + }, + "parPeeredVnetSubscriptionMgPlacement": { + "value": "alz-platform-connectivity" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parSpokeNetworkName": { + "value": "vnet-spoke" + }, + "parSpokeNetworkAddressPrefix": { + "value": "10.202.0.0/24" + }, + "parDnsServerIps": { + "value": [] + }, + "parNextHopIpAddress": { + "value": "10.20.255.4" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parSpoketoHubRouteTableName": { + "value": "rtb-spoke-to-hub" + }, + "parHubVirtualNetworkId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-westeurope-hub-networking/providers/Microsoft.Network/virtualHubs/alz-vhub-westeurope" + }, + "parAllowSpokeForwardedTraffic": { + "value": false + }, + "parAllowHubVPNGatewayTransit": { + "value": true + }, + "parVirtualHubConnectionPrefix": { + "value": "" + }, + "parVirtualHubConnectionSuffix": { + "value": "-vhc" + }, + "parEnableInternetSecurity": { + "value": false + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md new file mode 100644 index 00000000..47196c29 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md @@ -0,0 +1,138 @@ +# Module: Orchestration - mgDiagSettingsAll - Enable diagnostic settings for management groups in the ALZ Management Groups hierarchy + +This module acts as an orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module (this can be deployed via the [`managementGroups.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/managementGroups)), which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow). + +This is accomplished through a managementGroup-scoped Azure Resource Manager (ARM) deployment. There are two boolean parameters that should match the options selected during the deployment of Management Group module regarding creation or not of Corp and Online Landing Zones and Confidential Corp and Confidential Online Landing zones. +It also enables Diagnostic Settings for existing custom child landing zones if those are specified. + + +> This module calls the [`mgDiagSettings.bicep`](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/mgDiagSettings) module multiple times to enable Diagnostic Settings to the desired Management Groups. If you only want to enable Diagnostic Settings at a time to a specified Management Group, then you could consider using the child module directly. + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/mgDiagSettingsAll.bicep.md) + +### Diagnostic Settings for Child Landing Zone and Platform Management Groups + +This module considers the same flexibility used when creating the child Landing Zone and child Platform Management Groups during deployment of the Management Groups module. The parameters detailed below should correspond to the values used during Management Groups module deployment. All of these parameters can be used together to enable diagnostic settings on the child Landing Zone Management Groups. + +- `parLandingZoneMgAlzDefaultsEnable` + - Boolean - defaults to `true` + - **Required** + - Deploys following child Landing Zone Management groups if set to `true`: + - `Corp` + - `Online` + - *These are the default ALZ Management Groups as per the conceptual architecture* +- `parLandingZoneMgConfidentialEnable` + - Boolean - defaults to `false` + - **Required** + - Deploys following child Landing Zone Management groups if set to `true`: + - `Confidential Corp` + - `Confidential Online` +- `parLandingZoneMgChildren` + - Object - default is an empty array `[]` + - **Optional** + - Deploys whatever you specify in the object as child Landing Zone Management groups. +- `parPlatformMgChildren` + - Object - default is an empty array `[]` + - **Optional** + - Deploys whatever you specify in the object as child Landing Zone Management groups. + +#### `parLandingZoneMgChildren` and `parPlatformMgChildren` Input Examples + +Below are some examples of how to use this input parameter in both Bicep & JSON formats. + +##### Bicep Example + +```bicep +parLandingZoneMgChildren = [ + 'pci', + 'another-example' +] + +parPlatformMgChildren = [ + 'security', + 'yet-another-example' +] +``` + +##### JSON Parameter File Input Example + +```json + "parLandingZoneMgChildren": { + "value": [ + "pci", + "another-example" + ] + }, + "parPlatformMgChildren": { + "value": [ + "security", + "yet-another-example" + ] + } +``` + +## Outputs + +*The module will not generate any outputs.* + +## Deployment + +In this example, the Diagnostic Settings are enabled on the management groups through a managementGroup-scoped deployment. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +az deployment mg create \ + --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \ + --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \ + --location eastus \ + --management-group-id alz +``` + +OR + +```bash +# For Azure China regions +az deployment mg create \ + --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \ + --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \ + --location chinaeast2 \ + --management-group-id alz +``` + +### PowerShell + +```powershell +# For Azure global regions +New-AzManagementGroupDeployment ` + -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep ` + -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json ` + -Location eastus ` + -ManagementGroupId alz + +``` + +OR + +```powershell +# For Azure China regions +New-AzManagementGroupDeployment ` + -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep ` + -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json ` + -Location chinaeast2 ` + -ManagementGroupId alz + +``` + +## Validation + +To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell. + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md new file mode 100644 index 00000000..a0a5bd92 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md @@ -0,0 +1,124 @@ +# ALZ Bicep orchestration - Management Group Diagnostic Settings - ALL + +Orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy in the managementGroups module. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parLandingZoneMgChildren | No | Array of strings to allow additional or different child Management Groups of the Landing Zones Management Group. +parPlatformMgChildren | No | Array of strings to allow additional or different child Management Groups of the Platform Management Group. +parLogAnalyticsWorkspaceResourceId | Yes | Log Analytics Workspace Resource ID. +parLandingZoneMgAlzDefaultsEnable | No | Deploys Diagnostic Settings on Corp & Online Management Groups beneath Landing Zones Management Group if set to true. +parPlatformMgAlzDefaultsEnable | No | Deploys Diagnostic Settings on Management, Connectivity and Identity Management Groups beneath Platform Management Group if set to true. +parLandingZoneMgConfidentialEnable | No | Deploys Diagnostic Settings on Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix used for the management group hierarchy in the managementGroups module. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parLandingZoneMgChildren + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of strings to allow additional or different child Management Groups of the Landing Zones Management Group. + +### parPlatformMgChildren + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of strings to allow additional or different child Management Groups of the Platform Management Group. + +### parLogAnalyticsWorkspaceResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parLandingZoneMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Diagnostic Settings on Corp & Online Management Groups beneath Landing Zones Management Group if set to true. + +- Default value: `True` + +### parPlatformMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Diagnostic Settings on Management, Connectivity and Identity Management Groups beneath Platform Management Group if set to true. + +- Default value: `True` + +### parLandingZoneMgConfidentialEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Diagnostic Settings on Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parLandingZoneMgChildren": { + "value": [] + }, + "parPlatformMgChildren": { + "value": [] + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parLandingZoneMgAlzDefaultsEnable": { + "value": true + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/media/bicepVisualizer.png new file mode 100644 index 00000000..cc47dc2d Binary files /dev/null and b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep new file mode 100644 index 00000000..7c8e8e31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep @@ -0,0 +1,137 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep orchestration - Management Group Diagnostic Settings - ALL' +metadata description = 'Orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module' + +@sys.description('Prefix used for the management group hierarchy in the managementGroups module.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Array of strings to allow additional or different child Management Groups of the Landing Zones Management Group.') +param parLandingZoneMgChildren array = [] + +@sys.description('Array of strings to allow additional or different child Management Groups of the Platform Management Group.') +param parPlatformMgChildren array = [] + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceId string + +@sys.description('Deploys Diagnostic Settings on Corp & Online Management Groups beneath Landing Zones Management Group if set to true.') +param parLandingZoneMgAlzDefaultsEnable bool = true + +@sys.description('Deploys Diagnostic Settings on Management, Connectivity and Identity Management Groups beneath Platform Management Group if set to true.') +param parPlatformMgAlzDefaultsEnable bool = true + +@sys.description('Deploys Diagnostic Settings on Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.') +param parLandingZoneMgConfidentialEnable bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +var varMgIds = { + intRoot: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + platform: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' +} + +// Used if parLandingZoneMgAlzDefaultsEnable == true +var varLandingZoneMgChildrenAlzDefault = { + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp${parTopLevelManagementGroupSuffix}' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online${parTopLevelManagementGroupSuffix}' +} + +// Used if parPlatformMgAlzDefaultsEnable == true +var varPlatformMgChildrenAlzDefault = { + platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management${parTopLevelManagementGroupSuffix}' + platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity${parTopLevelManagementGroupSuffix}' + platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity${parTopLevelManagementGroupSuffix}' +} + +// Used if parLandingZoneMgConfidentialEnable == true +var varLandingZoneMgChildrenConfidential = { + landingZonesConfidentialCorp: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialOnline: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online${parTopLevelManagementGroupSuffix}' +} + +// Used if parLandingZoneMgConfidentialEnable not empty +var varLandingZoneMgCustomChildren = [for customMg in parLandingZoneMgChildren: { + mgId: '${parTopLevelManagementGroupPrefix}-landingzones-${customMg}${parTopLevelManagementGroupSuffix}' +}] + +// Used if parLandingZoneMgConfidentialEnable not empty +var varPlatformMgCustomChildren = [for customMg in parPlatformMgChildren: { + mgId: '${parTopLevelManagementGroupPrefix}-platform-${customMg}${parTopLevelManagementGroupSuffix}' +}] + +// Build final object based on input parameters for default and confidential child MGs of LZs +var varLandingZoneMgDefaultChildrenUnioned = (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable) ? varLandingZoneMgChildrenAlzDefault : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable) ? varLandingZoneMgChildrenConfidential : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable) ? {} : {} + +// Build final object based on input parameters for default child MGs of Platform LZs +var varPlatformMgDefaultChildrenUnioned = (parPlatformMgAlzDefaultsEnable) ? varPlatformMgChildrenAlzDefault : (parPlatformMgAlzDefaultsEnable) ? varPlatformMgChildrenAlzDefault : (!parPlatformMgAlzDefaultsEnable) ? {} : (!parPlatformMgAlzDefaultsEnable) ? {} : {} + +// Customer Usage Attribution Id +var varCuaid = 'f49c8dfb-c0ce-4ee0-b316-5e4844474dd0' + +module modMgDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for mgId in items(varMgIds): { + scope: managementGroup(mgId.value) + name: 'mg-diag-set-${mgId.value}' + params: { + parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Default Children Landing Zone Management Groups +module modMgLandingZonesDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in items(varLandingZoneMgDefaultChildrenUnioned): { + scope: managementGroup(childMg.value) + name: 'mg-diag-set-${childMg.value}' + params: { + parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Default Children Platform Management Groups +module modMgPlatformDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in items(varPlatformMgDefaultChildrenUnioned): { + scope: managementGroup(childMg.value) + name: 'mg-diag-set-${childMg.value}' + params: { + parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Custom Children Landing Zone Management Groups +module modMgChildrenDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in varLandingZoneMgCustomChildren: { + scope: managementGroup(childMg.mgId) + name: 'mg-diag-set-${childMg.mgId}' + params: { + parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Custom Children Platform Management Groups +module modPlatformMgChildrenDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep' = [for childMg in varPlatformMgCustomChildren: { + scope: managementGroup(childMg.mgId) + name: 'mg-diag-set-${childMg.mgId}' + params: { + parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + scope: managementGroup() + params: {} +} diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json new file mode 100644 index 00000000..47a5ee18 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parLandingZoneMgAlzDefaultsEnable": { + "value": true + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics" + }, + "parLandingZoneMgChildren": { + "value": [] + }, + "parPlatformMgChildren": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json new file mode 100644 index 00000000..23aa5f43 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/README.md b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/README.md new file mode 100644 index 00000000..a41325ff --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/README.md @@ -0,0 +1,166 @@ +# Module: Orchestration - subPlacementAll - Place All Subscriptions Into ALZ Management Group Hierarchy + +This module acts as an orchestration module that helps to define where all Subscriptions should be placed in the ALZ Management Group Hierarchy (this can be deployed via the [`managementGroups.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/managementGroups)), which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow). + +Module deploys the following resources: + +- Subscription placement for multiple Subscriptions into the ALZ Management Group hierarchy + +> This module calls the [`subscriptionPlacement.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/subscriptionPlacement) multiple times to move the specified Subscription IDs to the desired Management Groups. If you only want to move a single subscription at a time to a specified Management Group, then you could consider this child module that is called many times in this module. + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/subPlacementAll.bicep.md) + +### `parLandingZoneMgChildrenSubs` and `parPlatformMgChildrenSubs` Input Examples + +The `parLandingZoneMgChildrenSubs` and `parPlatformMgChildrenSubs` are only used if you have deployed different Management Groups beneath the Landing Zones and Platform Management Group using the `parLandingZoneMgChildren` and/or `parPlatformMgChildren` parameter in the [`managementGroups.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/managementGroups). + +Below are some examples of how to use these input parameters in both Bicep & JSON formats. + +> **NOTE:** The keys of each object in the dictionary object only need to match the last part of the Management Group ID, as the concatenation of the rest of the Management Group ID is automatically handled in the module. +> For Example: +> Entering `pci` as a key will match the Management Group ID of `alz-landingzones-pci` (`alz` is provided via the `parTopLevelManagementGroupPrefix` parameter). The bicep snippet for this concatenation for the Management Group ID is: `${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}` (`mg` is the reference to the iterator in the loop that the module creates) + +#### Bicep Example + +```bicep +parLandingZoneMgChildrenSubs: { + pci: { + subscriptions: [ + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy' + ] + } + 'another-example': { + subscriptions: [ + 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz' + ] + } +} +parPlatformMgChildrenSubs: { + security: { + subscriptions: [ + 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' + 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy' + ] + } + 'yet-another-example': { + subscriptions: [ + 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz' + ] + } +} +``` + +#### JSON Parameter File Input Example + +```json +"parLandingZoneMgChildrenSubs": { + "value": { + "pci": { + "subscriptions": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" + ] + }, + "another-example": { + "subscriptions": [ + "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz" + ] + } + } +}, +"parPlatformMgChildrenSubs": { + "value": { + "security": { + "subscriptions": [ + "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" + ] + }, + "yet-another-example": { + "subscriptions": [ + "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz" + ] + } + } +} +``` + +## Outputs + +This module will **not** generate any outputs. + +## Deployment + +This module is intended to be used/called only once in a setup, but is likely to be ran/deployed multiple times of the lifetime of you ALZ environment; for example when a new Landing Zone Subscription is created and needs to be placed into the desired Management Group. + +This however may be done as part of another process, for example upon Subscription vending. For this reason the module will not move/touch any subscriptions that are not declared in its parameters by design. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SubPlacementAll-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep" +PARAMETERS="@infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +OR + +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SubPlacementAll-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep" +PARAMETERS="@infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-SubPlacementAll-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'EastUS' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep" + TemplateParameterFile = 'infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +OR + +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-SubPlacementAll-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep" + TemplateParameterFile = 'infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md new file mode 100644 index 00000000..35d2c95b --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md @@ -0,0 +1,198 @@ +# ALZ Bicep orchestration - Subscription Placement - ALL + +Orchestration module that helps to define where all Subscriptions should be placed in the ALZ Management Group Hierarchy + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. This management group will be created as part of the deployment. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parIntRootMgSubs | No | An array of Subscription IDs to place in the Intermediate Root Management Group. Default: Empty Array +parPlatformMgSubs | No | An array of Subscription IDs to place in the Platform Management Group. Default: Empty Array +parPlatformManagementMgSubs | No | An array of Subscription IDs to place in the (Platform) Management Management Group. Default: Empty Array +parPlatformConnectivityMgSubs | No | An array of Subscription IDs to place in the (Platform) Connectivity Management Group. Default: Empty Array +parPlatformMgChildrenSubs | No | Dictionary Object to allow additional or different child Management Groups of the Platform Management Group describing the Subscription IDs which each of them contain. Default: Empty Object +parPlatformIdentityMgSubs | No | An array of Subscription IDs to place in the (Platform) Identity Management Group. Default: Empty Array +parLandingZonesMgSubs | No | An array of Subscription IDs to place in the Landing Zones Management Group. Default: Empty Array +parLandingZonesCorpMgSubs | No | An array of Subscription IDs to place in the Corp (Landing Zones) Management Group. Default: Empty Array +parLandingZonesOnlineMgSubs | No | An array of Subscription IDs to place in the Online (Landing Zones) Management Group. Default: Empty Array +parLandingZonesConfidentialCorpMgSubs | No | An array of Subscription IDs to place in the Confidential Corp (Landing Zones) Management Group. Default: Empty Array +parLandingZonesConfidentialOnlineMgSubs | No | An array of Subscription IDs to place in the Confidential Online (Landing Zones) Management Group. Default: Empty Array +parLandingZoneMgChildrenSubs | No | Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group describing the Subscription IDs which each of them contain. Default: Empty Object +parDecommissionedMgSubs | No | An array of Subscription IDs to place in the Decommissioned Management Group. Default: Empty Array +parSandboxMgSubs | No | An array of Subscription IDs to place in the Sandbox Management Group. Default: Empty Array +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. This management group will be created as part of the deployment. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parIntRootMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Intermediate Root Management Group. Default: Empty Array + +### parPlatformMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Platform Management Group. Default: Empty Array + +### parPlatformManagementMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the (Platform) Management Management Group. Default: Empty Array + +### parPlatformConnectivityMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the (Platform) Connectivity Management Group. Default: Empty Array + +### parPlatformMgChildrenSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Dictionary Object to allow additional or different child Management Groups of the Platform Management Group describing the Subscription IDs which each of them contain. Default: Empty Object + +### parPlatformIdentityMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the (Platform) Identity Management Group. Default: Empty Array + +### parLandingZonesMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Landing Zones Management Group. Default: Empty Array + +### parLandingZonesCorpMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Corp (Landing Zones) Management Group. Default: Empty Array + +### parLandingZonesOnlineMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Online (Landing Zones) Management Group. Default: Empty Array + +### parLandingZonesConfidentialCorpMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Confidential Corp (Landing Zones) Management Group. Default: Empty Array + +### parLandingZonesConfidentialOnlineMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Confidential Online (Landing Zones) Management Group. Default: Empty Array + +### parLandingZoneMgChildrenSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group describing the Subscription IDs which each of them contain. Default: Empty Object + +### parDecommissionedMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Decommissioned Management Group. Default: Empty Array + +### parSandboxMgSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array of Subscription IDs to place in the Sandbox Management Group. Default: Empty Array + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parIntRootMgSubs": { + "value": [] + }, + "parPlatformMgSubs": { + "value": [] + }, + "parPlatformManagementMgSubs": { + "value": [] + }, + "parPlatformConnectivityMgSubs": { + "value": [] + }, + "parPlatformMgChildrenSubs": { + "value": {} + }, + "parPlatformIdentityMgSubs": { + "value": [] + }, + "parLandingZonesMgSubs": { + "value": [] + }, + "parLandingZonesCorpMgSubs": { + "value": [] + }, + "parLandingZonesOnlineMgSubs": { + "value": [] + }, + "parLandingZonesConfidentialCorpMgSubs": { + "value": [] + }, + "parLandingZonesConfidentialOnlineMgSubs": { + "value": [] + }, + "parLandingZoneMgChildrenSubs": { + "value": {} + }, + "parDecommissionedMgSubs": { + "value": [] + }, + "parSandboxMgSubs": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/media/bicepVisualizer.png new file mode 100644 index 00000000..ed915a12 Binary files /dev/null and b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/media/bicepVisualizer.png differ diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json new file mode 100644 index 00000000..00459d61 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json @@ -0,0 +1,57 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parIntRootMgSubs": { + "value": [] + }, + "parPlatformMgSubs": { + "value": [] + }, + "parPlatformManagementMgSubs": { + "value": [] + }, + "parPlatformConnectivityMgSubs": { + "value": [] + }, + "parPlatformIdentityMgSubs": { + "value": [] + }, + "parLandingZonesMgSubs": { + "value": [] + }, + "parLandingZonesCorpMgSubs": { + "value": [] + }, + "parLandingZonesOnlineMgSubs": { + "value": [] + }, + "parLandingZonesConfidentialCorpMgSubs": { + "value": [] + }, + "parLandingZonesConfidentialOnlineMgSubs": { + "value": [] + }, + "parLandingZoneMgChildrenSubs": { + "value": {} + }, + "parPlatformMgChildrenSubs": { + "value": {} + }, + "parDecommissionedMgSubs": { + "value": [] + }, + "parSandboxMgSubs": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json new file mode 100644 index 00000000..748d1665 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parPlatformManagementMgSubs": { + "value": [] + }, + "parPlatformConnectivityMgSubs": { + "value": [] + }, + "parPlatformIdentityMgSubs": { + "value": [] + }, + "parLandingZonesCorpMgSubs": { + "value": [] + }, + "parLandingZonesOnlineMgSubs": { + "value": [] + }, + "parDecommissionedMgSubs": { + "value": [] + }, + "parSandboxMgSubs": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep new file mode 100644 index 00000000..63b755d7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep @@ -0,0 +1,245 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep orchestration - Subscription Placement - ALL' +metadata description = 'Orchestration module that helps to define where all Subscriptions should be placed in the ALZ Management Group Hierarchy' + +@sys.description('Prefix for the management group hierarchy. This management group will be created as part of the deployment.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('An array of Subscription IDs to place in the Intermediate Root Management Group. Default: Empty Array') +param parIntRootMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Platform Management Group. Default: Empty Array') +param parPlatformMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the (Platform) Management Management Group. Default: Empty Array') +param parPlatformManagementMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the (Platform) Connectivity Management Group. Default: Empty Array') +param parPlatformConnectivityMgSubs array = [] + +@sys.description('Dictionary Object to allow additional or different child Management Groups of the Platform Management Group describing the Subscription IDs which each of them contain. Default: Empty Object') +param parPlatformMgChildrenSubs object = {} + +@sys.description('An array of Subscription IDs to place in the (Platform) Identity Management Group. Default: Empty Array') +param parPlatformIdentityMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Landing Zones Management Group. Default: Empty Array') +param parLandingZonesMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Corp (Landing Zones) Management Group. Default: Empty Array') +param parLandingZonesCorpMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Online (Landing Zones) Management Group. Default: Empty Array') +param parLandingZonesOnlineMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Confidential Corp (Landing Zones) Management Group. Default: Empty Array') +param parLandingZonesConfidentialCorpMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Confidential Online (Landing Zones) Management Group. Default: Empty Array') +param parLandingZonesConfidentialOnlineMgSubs array = [] + +@sys.description('Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group describing the Subscription IDs which each of them contain. Default: Empty Object') +param parLandingZoneMgChildrenSubs object = {} + +@sys.description('An array of Subscription IDs to place in the Decommissioned Management Group. Default: Empty Array') +param parDecommissionedMgSubs array = [] + +@sys.description('An array of Subscription IDs to place in the Sandbox Management Group. Default: Empty Array') +param parSandboxMgSubs array = [] + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +var varMgIds = { + intRoot: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + platform: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management${parTopLevelManagementGroupSuffix}' + platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity${parTopLevelManagementGroupSuffix}' + platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity${parTopLevelManagementGroupSuffix}' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp${parTopLevelManagementGroupSuffix}' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialCorp: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialOnline: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online${parTopLevelManagementGroupSuffix}' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' +} + +var varDeploymentNames = { + modIntRootMgSubPlacement: take('modIntRootMgSubPlacement-${uniqueString(varMgIds.intRoot, string(length(parIntRootMgSubs)), deployment().name)}', 64) + modPlatformMgSubPlacement: take('modPlatformMgSubPlacement-${uniqueString(varMgIds.platform, string(length(parPlatformMgSubs)), deployment().name)}', 64) + modPlatformManagementMgSubPlacement: take('modPlatformManagementMgSubPlacement-${uniqueString(varMgIds.platformManagement, string(length(parPlatformManagementMgSubs)), deployment().name)}', 64) + modPlatformConnectivityMgSubPlacement: take('modPlatformConnectivityMgSubPlacement-${uniqueString(varMgIds.platformConnectivity, string(length(parPlatformConnectivityMgSubs)), deployment().name)}', 64) + modPlatformIdentityMgSubPlacement: take('modPlatformIdentityMgSubPlacement-${uniqueString(varMgIds.platformIdentity, string(length(parPlatformIdentityMgSubs)), deployment().name)}', 64) + modLandingZonesMgSubPlacement: take('modLandingZonesMgSubPlacement-${uniqueString(varMgIds.landingZones, string(length(parLandingZonesMgSubs)), deployment().name)}', 64) + modLandingZonesCorpMgSubPlacement: take('modLandingZonesCorpMgSubPlacement-${uniqueString(varMgIds.landingZonesCorp, string(length(parLandingZonesCorpMgSubs)), deployment().name)}', 64) + modLandingZonesOnlineMgSubPlacement: take('modLandingZonesOnlineMgSubPlacement-${uniqueString(varMgIds.landingZonesOnline, string(length(parLandingZonesOnlineMgSubs)), deployment().name)}', 64) + modLandingZonesConfidentialCorpMgSubPlacement: take('modLandingZonesConfidentialCorpMgSubPlacement-${uniqueString(varMgIds.landingZonesConfidentialCorp, string(length(parLandingZonesConfidentialCorpMgSubs)), deployment().name)}', 64) + modLandingZonesConfidentialOnlineMgSubPlacement: take('modLandingZonesConfidentialOnlineMgSubPlacement-${uniqueString(varMgIds.landingZonesConfidentialOnline, string(length(parLandingZonesConfidentialOnlineMgSubs)), deployment().name)}', 64) + modDecommissionedMgSubPlacement: take('modDecommissionedMgSubPlacement-${uniqueString(varMgIds.decommissioned, string(length(parDecommissionedMgSubs)), deployment().name)}', 64) + modSandboxMgSubPlacement: take('modSandboxMgSubPlacement-${uniqueString(varMgIds.sandbox, string(length(parSandboxMgSubs)), deployment().name)}', 64) +} + +// Customer Usage Attribution Id +var varCuaid = 'bb800623-86ff-4ab4-8901-93c2b70967ae' + +module modIntRootMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parIntRootMgSubs)) { + name: varDeploymentNames.modIntRootMgSubPlacement + scope: managementGroup(varMgIds.intRoot) + params: { + parTargetManagementGroupId: varMgIds.intRoot + parSubscriptionIds: parIntRootMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Platform Management Groups +module modPlatformMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parPlatformMgSubs)) { + name: varDeploymentNames.modPlatformMgSubPlacement + scope: managementGroup(varMgIds.platform) + params: { + parTargetManagementGroupId: varMgIds.platform + parSubscriptionIds: parPlatformMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modPlatformManagementMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parPlatformManagementMgSubs)) { + name: varDeploymentNames.modPlatformManagementMgSubPlacement + scope: managementGroup(varMgIds.platformManagement) + params: { + parTargetManagementGroupId: varMgIds.platformManagement + parSubscriptionIds: parPlatformManagementMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modplatformConnectivityMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parPlatformConnectivityMgSubs)) { + name: varDeploymentNames.modPlatformConnectivityMgSubPlacement + scope: managementGroup(varMgIds.platformConnectivity) + params: { + parTargetManagementGroupId: varMgIds.platformConnectivity + parSubscriptionIds: parPlatformConnectivityMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modplatformIdentityMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parPlatformIdentityMgSubs)) { + name: varDeploymentNames.modPlatformIdentityMgSubPlacement + scope: managementGroup(varMgIds.platformIdentity) + params: { + parTargetManagementGroupId: varMgIds.platformIdentity + parSubscriptionIds: parPlatformIdentityMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Custom Children Platform Management Groups +module modPlatformMgChildrenSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = [for mg in items(parPlatformMgChildrenSubs): if (!empty(parPlatformMgChildrenSubs)) { + name: take('modPlatformMgChildrenSubPlacement-${uniqueString(mg.key, string(length(mg.value.subscriptions)), deployment().name)}', 64) + scope: managementGroup('${parTopLevelManagementGroupPrefix}-platform-${mg.key}${parTopLevelManagementGroupSuffix}') + params: { + parTargetManagementGroupId: '${parTopLevelManagementGroupPrefix}-platform-${mg.key}${parTopLevelManagementGroupSuffix}' + parSubscriptionIds: mg.value.subscriptions + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Landing Zone Management Groups +module modLandingZonesMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parLandingZonesMgSubs)) { + name: varDeploymentNames.modLandingZonesMgSubPlacement + scope: managementGroup(varMgIds.landingZones) + params: { + parTargetManagementGroupId: varMgIds.landingZones + parSubscriptionIds: parLandingZonesMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modLandingZonesCorpMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parLandingZonesCorpMgSubs)) { + name: varDeploymentNames.modLandingZonesCorpMgSubPlacement + scope: managementGroup(varMgIds.landingZonesCorp) + params: { + parTargetManagementGroupId: varMgIds.landingZonesCorp + parSubscriptionIds: parLandingZonesCorpMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modLandingZonesOnlineMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parLandingZonesOnlineMgSubs)) { + name: varDeploymentNames.modLandingZonesOnlineMgSubPlacement + scope: managementGroup(varMgIds.landingZonesOnline) + params: { + parTargetManagementGroupId: varMgIds.landingZonesOnline + parSubscriptionIds: parLandingZonesOnlineMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Confidential Landing Zone Management Groups +module modLandingZonesConfidentialCorpMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parLandingZonesConfidentialCorpMgSubs)) { + name: varDeploymentNames.modLandingZonesConfidentialCorpMgSubPlacement + scope: managementGroup(varMgIds.landingZonesConfidentialCorp) + params: { + parTargetManagementGroupId: varMgIds.landingZonesConfidentialCorp + parSubscriptionIds: parLandingZonesConfidentialCorpMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modLandingZonesConfidentialOnlineMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parLandingZonesConfidentialOnlineMgSubs)) { + name: varDeploymentNames.modLandingZonesConfidentialOnlineMgSubPlacement + scope: managementGroup(varMgIds.landingZonesConfidentialOnline) + params: { + parTargetManagementGroupId: varMgIds.landingZonesConfidentialOnline + parSubscriptionIds: parLandingZonesConfidentialOnlineMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Custom Children Landing Zone Management Groups +module modLandingZonesMgChildrenSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = [for mg in items(parLandingZoneMgChildrenSubs): if (!empty(parLandingZoneMgChildrenSubs)) { + name: take('modLandingZonesMgChildrenSubPlacement-${uniqueString(mg.key, string(length(mg.value.subscriptions)), deployment().name)}', 64) + scope: managementGroup('${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}${parTopLevelManagementGroupSuffix}') + params: { + parTargetManagementGroupId: '${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}${parTopLevelManagementGroupSuffix}' + parSubscriptionIds: mg.value.subscriptions + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Decommissioned Management Group +module modDecommissionedMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parDecommissionedMgSubs)) { + name: varDeploymentNames.modDecommissionedMgSubPlacement + scope: managementGroup(varMgIds.decommissioned) + params: { + parTargetManagementGroupId: varMgIds.decommissioned + parSubscriptionIds: parDecommissionedMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Sandbox Management Group +module modSandboxMgSubPlacement '../../modules/subscriptionPlacement/subscriptionPlacement.bicep' = if (!empty(parSandboxMgSubs)) { + name: varDeploymentNames.modSandboxMgSubPlacement + scope: managementGroup(varMgIds.sandbox) + params: { + parTargetManagementGroupId: varMgIds.sandbox + parSubscriptionIds: parSandboxMgSubs + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/scripts/Get-AlzBicepResourceTypes.ps1 b/dependencies/scripts/Get-AlzBicepResourceTypes.ps1 new file mode 100644 index 00000000..1b0f6fd0 --- /dev/null +++ b/dependencies/scripts/Get-AlzBicepResourceTypes.ps1 @@ -0,0 +1,32 @@ +Get-ChildItem -Path '.\infra-as-code\bicep\modules' -Recurse -Filter '*.bicep' -Exclude 'callModuleFromACR.example.bicep', 'orchHubSpoke.bicep' | ForEach-Object { + Write-Information "==> Attempting Bicep Build For File: $_" -InformationAction Continue + $output = bicep build $_.FullName 2>&1 + if ($LastExitCode -ne 0) { + throw $output + } + Else { + Write-Output $output + } +} + +$resourceTypesFullList = @{} + +Get-ChildItem -Path '.\infra-as-code\bicep\modules' -Recurse -Filter '*.json' -Exclude 'callModuleFromACR.example.json', 'orchHubSpoke.json', '*parameters*.json', 'bicepconfig.json', '*policy_*.json' | ForEach-Object { + Write-Information "==> Reading Built ARM Template JSON File: $_" -InformationAction Continue + $armTemplate = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + $armResourceTypes = $armTemplate.Resources + $armResourceTypes | ForEach-Object { + if (!$resourceTypesFullList.ContainsKey($_.Type)) { + $resourceTypesFullList.Add($_.Type, 1) + } + else { + $resourceTypesFullList[$_.Type] += 1 + } + } +} + +Write-Information "==> Remove nested deployments resource type" -InformationAction Continue +$resourceTypesFullList.Remove('Microsoft.Resources/Deployments') + +Write-Information "==> List of resource types in ALZ-Bicep modules" -InformationAction Continue +$resourceTypesFullList.Keys | Sort-Object diff --git a/dependencies/scripts/Invoke-GitHubReleaseFetcher.ps1 b/dependencies/scripts/Invoke-GitHubReleaseFetcher.ps1 new file mode 100644 index 00000000..7d73a425 --- /dev/null +++ b/dependencies/scripts/Invoke-GitHubReleaseFetcher.ps1 @@ -0,0 +1,206 @@ +#################################### +# Invoke-GitHubReleaseFetcher.ps1 # +#################################### +# Version: 1.2.0 +# Last Modified: 26/10/2022 +# Author: Jack Tracey +# Source: https://github.com/jtracey93/PublicScripts/blob/master/GitHub/PowerShell/Invoke-GitHubReleaseFetcher.ps1 + +<# +.SYNOPSIS +Checks for the releases of a GitHub repository and downloads the latest release or all releases and pulls it into a specified directory, one for each version. +.DESCRIPTION +Checks for the releases of a GitHub repository and downloads the latest release or all releases and pulls it into a specified directory, one for each version. + +.EXAMPLE +# Sync only latest release to PWD and keep only "version.json" file and "infra-as-code" directory (recursively) +$keepThese = @("version.json", "infra-as-code") +./Invoke-GitHubReleaseFetcher.ps1 -githubRepoUrl "https://github.com/Azure/ALZ-Bicep" -directoryAndFilesToKeep $keepThese + +# Sync only all releases to PWD and keep only "version.json" file and "infra-as-code" directory (recursively) +$keepThese = @("version.json", "infra-as-code") +./Invoke-GitHubReleaseFetcher.ps1 -githubRepoUrl "https://github.com/Azure/ALZ-Bicep" -syncAllReleases:$true -directoryAndFilesToKeep $keepThese + +.NOTES +# Release notes 25/10/2021 - V1.0.0: +- Initial release. + +# Release notes 26/10/2021 - V1.1.0: +- Add support to move all extracted contents to release directories if $directoryAndFilesToKeep is not specified or is a empty array (which is the default). + +# Release notes 30/10/2021 - V1.2.0: +- Add missing if condition to stop all files being added regardless of what is passed into `directoryAndFilesToKeep`. +#> + +# Check for pre-reqs +#Requires -PSEdition Core + +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "", Justification = "Required for colour outputs")] + +[CmdletBinding()] +param ( + #Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant + [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the provide the full URL of the GitHub repository you wish to check for the latest release.")] + [string] + $githubRepoUrl, + + [Parameter(Mandatory = $false, Position = 2, HelpMessage = "Sync all releases from the specified GitHub repository. Defaults to false.")] + [bool] + $syncAllReleases = $false, + + [Parameter(Mandatory = $false, Position = 3, HelpMessage = "The directory to download the releases to. Defaults to the current directory.")] + [string] + $directoryForReleases = "$PWD/releases", + + [Parameter(Mandatory = $false, Position = 4, HelpMessage = "An array of strings contianing the paths to the directories or files that you wish to keep when downloading and extracting from the releases.")] + [array] + $directoryAndFilesToKeep = @() +) + +# Start timer +$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch +$StopWatch.Start() + +# Split Repo URL into parts +$repoOrgPlusRepo = $githubRepoUrl.Split("/")[-2..-1] -join "/" + +# Get releases on repo +$repoReleasesUrl = "https://api.github.com/repos/$repoOrgPlusRepo/releases" +$allRepoReleases = Invoke-RestMethod $repoReleasesUrl + +Write-Host "" +Write-Host "=====> Checking for releases on GitHub Repo: $repoOrgPlusRepo" -ForegroundColor Cyan +Write-Host "" +Write-Host "=====> All available releases on GitHub Repo: $repoOrgPlusRepo" -ForegroundColor Cyan +$allRepoReleases | Select-Object name, tag_name, published_at, prerelease, draft, html_url | Format-Table -AutoSize + +# Get latest release on repo +$latestRepoRelease = $allRepoReleases | Where-Object { $_.prerelease -eq $false } | Where-Object { $_.draft -eq $false } | Sort-Object -Descending published_at | Select-Object -First 1 + +Write-Host "" +Write-Host "=====> Latest available release on GitHub Repo: $repoOrgPlusRepo" -ForegroundColor Cyan +$latestRepoRelease | Select-Object name, tag_name, published_at, prerelease, draft, html_url | Format-Table -AutoSize + +# Check if directory exists +Write-Host "" +Write-Host "=====> Checking if directory for releases exists: $directoryForReleases" -ForegroundColor Cyan + +if (!(Test-Path $directoryForReleases)) { + Write-Host "" + Write-Host "Directory does not exist for releases, will now create: $directoryForReleases" -ForegroundColor Yellow + New-Item -ItemType Directory -Path $directoryForReleases +} + +# Pull all releases into directories +if ($syncAllReleases -eq $true) { + Write-Host "" + Write-Host "=====> Syncing all releases of $repoOrgPlusRepo into $directoryForReleases" -ForegroundColor Cyan + + foreach ($release in $allRepoReleases) { + $releaseDirectory = "$directoryForReleases/$($release.tag_name)" + + Write-Host "" + Write-Host "===> Checking if directory for release version exists: $releaseDirectory" -ForegroundColor Cyan + + if (!(Test-Path $releaseDirectory)) { + Write-Host "" + Write-Host "Directory does not exist for release $($release.tag_name), will now create: $releaseDirectory" -ForegroundColor Yellow + New-Item -ItemType Directory -Path $releaseDirectory + } + + Write-Host "" + Write-Host "===> Checking if any content exists inside of $releaseDirectory" -ForegroundColor Cyan + + $contentInReleaseDirectory = Get-ChildItem -Path $releaseDirectory -Recurse -ErrorAction SilentlyContinue + + if ($null -eq $contentInReleaseDirectory) { + Write-Host "" + Write-Host "===> Pulling and extracting release $($release.tag_name) into $releaseDirectory" -ForegroundColor Cyan + New-Item -ItemType Directory -Path "$releaseDirectory/tmp" + Invoke-WebRequest -Uri "https://github.com/$repoOrgPlusRepo/archive/refs/tags/$($release.tag_name).zip" -OutFile "$releaseDirectory/tmp/$($release.tag_name).zip" + Expand-Archive -Path "$releaseDirectory/tmp/$($release.tag_name).zip" -DestinationPath "$releaseDirectory/tmp/extracted" + $extractedSubFolder = Get-ChildItem -Path "$releaseDirectory/tmp/extracted" -Directory + + if ($null -ne $directoryAndFilesToKeep) { + foreach ($path in $directoryAndFilesToKeep) { + Write-Host "" + Write-Host "===> Moving $path into $releaseDirectory." -ForegroundColor Cyan + + + Move-Item -Path "$($extractedSubFolder.FullName)/$($path)" -Destination "$releaseDirectory" -ErrorAction SilentlyContinue + } + } + + if ($null -eq $directoryAndFilesToKeep) { + Write-Host "" + Write-Host "===> Moving all extracted contents into $releaseDirectory." -ForegroundColor Cyan + Move-Item -Path "$($extractedSubFolder.FullName)/*" -Destination "$releaseDirectory" -ErrorAction SilentlyContinue + } + + Remove-Item -Path "$releaseDirectory/tmp" -Force -Recurse + + } + else { + Write-Host "" + Write-Host "===> Content already exists in $releaseDirectory. Skipping" -ForegroundColor Yellow + } + } +} + +if ($syncAllReleases -eq $false) { + Write-Host "" + Write-Host "=====> Syncing latest release $($latestRepoRelease.tag_name) only of $repoOrgPlusRepo into $directoryForReleases" -ForegroundColor Cyan + + $releaseDirectory = "$directoryForReleases/$($latestRepoRelease.tag_name)" + + Write-Host "" + Write-Host "===> Checking if directory for release version exists: $releaseDirectory" -ForegroundColor Cyan + + if (!(Test-Path $releaseDirectory)) { + Write-Host "" + Write-Host "Directory does not exist for release $($latestRepoRelease.tag_name), will now create: $releaseDirectory" -ForegroundColor Yellow + New-Item -ItemType Directory -Path $releaseDirectory + } + + Write-Host "" + Write-Host "===> Checking if any content exists inside of $releaseDirectory" -ForegroundColor Cyan + + $contentInReleaseDirectory = Get-ChildItem -Path $releaseDirectory -Recurse -ErrorAction SilentlyContinue + + if ($null -eq $contentInReleaseDirectory) { + Write-Host "" + Write-Host "===> Pulling and extracting release $($latestRepoRelease.tag_name) into $releaseDirectory" -ForegroundColor Cyan + New-Item -ItemType Directory -Path "$releaseDirectory/tmp" + Invoke-WebRequest -Uri "https://github.com/$repoOrgPlusRepo/archive/refs/tags/$($latestRepoRelease.tag_name).zip" -OutFile "$releaseDirectory/tmp/$($latestRepoRelease.tag_name).zip" + Expand-Archive -Path "$releaseDirectory/tmp/$($latestRepoRelease.tag_name).zip" -DestinationPath "$releaseDirectory/tmp/extracted" + $extractedSubFolder = Get-ChildItem -Path "$releaseDirectory/tmp/extracted" -Directory + + if ($null -ne $directoryAndFilesToKeep) { + foreach ($path in $directoryAndFilesToKeep) { + Write-Host "" + Write-Host "===> Moving $path into $releaseDirectory." -ForegroundColor Cyan + Move-Item -Path "$($extractedSubFolder.FullName)/$($path)" -Destination "$releaseDirectory" #-ErrorAction SilentlyContinue + } + } + + if ($null -eq $directoryAndFilesToKeep) { + Write-Host "" + Write-Host "===> Moving all extracted contents into $releaseDirectory." -ForegroundColor Cyan + Move-Item -Path "$($extractedSubFolder.FullName)/*" -Destination "$releaseDirectory" -ErrorAction SilentlyContinue + } + + Remove-Item -Path "$releaseDirectory/tmp" -Force -Recurse + + } + else { + Write-Host "" + Write-Host "===> Content already exists in $releaseDirectory. Skipping" -ForegroundColor Yellow + } +} + +# Stop timer +$StopWatch.Stop() + +# Display timer output as table +Write-Host "Time taken to complete task:" -ForegroundColor Yellow +$StopWatch.Elapsed | Format-Table diff --git a/dependencies/scripts/Invoke-LibraryUpdate-China.ps1 b/dependencies/scripts/Invoke-LibraryUpdate-China.ps1 new file mode 100644 index 00000000..12aa523f --- /dev/null +++ b/dependencies/scripts/Invoke-LibraryUpdate-China.ps1 @@ -0,0 +1,122 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Update template library for Azure China in terraform-azurerm-caf-enterprise-scale repository +# +# Valid object schema for Export-LibraryArtifact function loop: +# +# @{ +# inputPath = [String] +# inputFilter = [String] +# typeFilter = [String[]] +# outputPath = [String] +# fileNamePrefix = [String] +# fileNameSuffix = [String] +# asTemplate = [Boolean] +# recurse = [Boolean] +# whatIf = [Boolean] +# } +# + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()][String]$AlzToolsPath = "$PWD/enterprise-scale/src/Alz.Tools", + [Parameter()][String]$TargetPath = "$PWD/ALZ-Bicep", + [Parameter()][String]$SourcePath = "$PWD/enterprise-scale", + [Parameter()][String]$LineEnding = "unix", + [Parameter()][Switch]$Reset, + [Parameter()][Switch]$UpdateProviderApiVersions +) + +$ErrorActionPreference = "Stop" + +# This script relies on a custom set of classes and functions +# defined within the EnterpriseScaleLibraryTools PowerShell +# module. +Import-Module $AlzToolsPath -ErrorAction Stop + +# To avoid needing to authenticate with Azure, the following +# code will preload the ProviderApiVersions cache from a +# stored state in the module if the UseCacheFromModule flag +# is set and the ProviderApiVersions.zip file is present. +if (!$UpdateProviderApiVersions -and (Test-Path "$AlzToolsPath/ProviderApiVersions.zip")) { + Write-Information "Pre-loading ProviderApiVersions from saved cache." -InformationAction Continue + Invoke-UseCacheFromModule($AlzToolsPath) +} + +# The defaultConfig object provides a set of default values +# to reduce verbosity within the esltConfig object. +$defaultConfig = @{ + inputFilter = "*.json" + resourceTypeFilter = @() + outputPath = $TargetPath + "/infra-as-code/bicep/modules/policy/definitions/lib/china" + fileNamePrefix = "" + fileNameSuffix = ".json" + exportFormat = "Bicep" + recurse = $false +} + +# File locations from Enterprise-scale repository for +# resources, organised by type +$policyDefinitionFilePaths = ( + Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policyDefinitions/*" ` + -File ` + -Include "*.json", "*.AzureChinaCloud.json" ` + -Exclude "*.AzureUSGovernment.json" +).FullName +$policySetDefinitionFilePaths = ( + Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policySetDefinitions/*" ` + -File ` + -Include "*.json", "*.AzureChinaCloud.json" ` + -Exclude "*.AzureUSGovernment.json" +).FullName +# The exportConfig array controls the foreach loop used to run +# Export-LibraryArtifact. Each object provides a set of values +# used to configure each run of Export-LibraryArtifact within +# the loop. If a value needed by Export-LibraryArtifact is +# missing, it will use the default value specified in the +# defaultConfig object. +$exportConfig = @() +# Add Policy Definition source files to $esltConfig +$exportConfig += $policyDefinitionFilePaths | ForEach-Object { + [PsCustomObject]@{ + inputPath = $_ + resourceTypeFilter = "Microsoft.Authorization/policyDefinitions" + fileNamePrefix = "policy_definitions/policy_definition_es_mc_" + } +} +# Add Policy Set Definition source files to $esltConfig +$exportConfig += $policySetDefinitionFilePaths | ForEach-Object { + [PsCustomObject]@{ + inputPath = $_ + resourceTypeFilter = "Microsoft.Authorization/policySetDefinitions" + fileNamePrefix = "policy_set_definitions/policy_set_definition_es_mc_" + fileNameSuffix = ".json" + } +} + +# If the -Reset parameter is set, delete all existing +# artefacts (by resource type) from the library +if ($Reset) { + Write-Information "Deleting existing Policy Definitions from library." -InformationAction Continue + Remove-Item -Path "$TargetPath/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/" -Recurse -Force + Write-Information "Deleting existing Policy Set Definitions from library." -InformationAction Continue + Remove-Item -Path "$TargetPath/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/" -Recurse -Force +} + +# Process the files added to $exportConfig, to add content +# to the library +foreach ($config in $exportConfig) { + Export-LibraryArtifact ` + -InputPath ($config.inputPath ?? $defaultConfig.inputPath) ` + -InputFilter ($config.inputFilter ?? $defaultConfig.inputFilter) ` + -ResourceTypeFilter ($config.resourceTypeFilter ?? $defaultConfig.resourceTypeFilter) ` + -OutputPath ($config.outputPath ?? $defaultConfig.outputPath) ` + -FileNamePrefix ($config.fileNamePrefix ?? $defaultConfig.fileNamePrefix) ` + -FileNameSuffix ($config.fileNameSuffix ?? $defaultConfig.fileNameSuffix) ` + -ExportFormat:($config.exportFormat ?? $defaultConfig.exportFormat) ` + -Recurse:($config.recurse ?? $defaultConfig.recurse) ` + -LineEnding $LineEnding ` + -WhatIf:$WhatIfPreference +} diff --git a/dependencies/scripts/Invoke-LibraryUpdate.ps1 b/dependencies/scripts/Invoke-LibraryUpdate.ps1 new file mode 100644 index 00000000..6c81568c --- /dev/null +++ b/dependencies/scripts/Invoke-LibraryUpdate.ps1 @@ -0,0 +1,123 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Update template library in terraform-azurerm-caf-enterprise-scale repository +# +# Valid object schema for Export-LibraryArtifact function loop: +# +# @{ +# inputPath = [String] +# inputFilter = [String] +# typeFilter = [String[]] +# outputPath = [String] +# fileNamePrefix = [String] +# fileNameSuffix = [String] +# asTemplate = [Boolean] +# recurse = [Boolean] +# whatIf = [Boolean] +# } +# + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()][String]$AlzToolsPath = "$PWD/enterprise-scale/src/Alz.Tools", + [Parameter()][String]$TargetPath = "$PWD/ALZ-Bicep", + [Parameter()][String]$SourcePath = "$PWD/enterprise-scale", + [Parameter()][String]$LineEnding = "unix", + [Parameter()][Switch]$Reset, + [Parameter()][Switch]$UpdateProviderApiVersions +) + +$ErrorActionPreference = "Stop" + +# This script relies on a custom set of classes and functions +# defined within the Alz.Tools PowerShell module. +Import-Module $AlzToolsPath -ErrorAction Stop + +# To avoid needing to authenticate with Azure, the following +# code will preload the ProviderApiVersions cache from a +# stored state in the module if the UseCacheFromModule flag +# is set and the ProviderApiVersions.zip file is present. +if (!$UpdateProviderApiVersions -and (Test-Path "$AlzToolsPath/ProviderApiVersions.zip")) { + Write-Information "Pre-loading ProviderApiVersions from saved cache." -InformationAction Continue + Invoke-UseCacheFromModule($AlzToolsPath) +} + +# The defaultConfig object provides a set of default values +# to reduce verbosity within the exportConfig object. +$defaultConfig = @{ + inputFilter = "*.json" + resourceTypeFilter = @() + outputPath = $TargetPath + "/infra-as-code/bicep/modules/policy/definitions/lib" + fileNamePrefix = "" + fileNameSuffix = ".json" + exportFormat = "Bicep" + recurse = $false +} + +# File locations from Enterprise-scale repository for +# resources, organised by type +$policyDefinitionFilePaths = ( + Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policyDefinitions/*" ` + -File ` + -Include "*.json" ` + -Exclude "*.AzureChinaCloud.json", "*.AzureUSGovernment.json" +).FullName +$policySetDefinitionFilePaths = ( + Get-ChildItem -Path "$SourcePath/src/resources/Microsoft.Authorization/policySetDefinitions/*" ` + -File ` + -Include "*.json" ` + -Exclude "*.AzureChinaCloud.json", "*.AzureUSGovernment.json" +).FullName + +# The exportConfig array controls the foreach loop used to run +# Export-LibraryArtifact. Each object provides a set of values +# used to configure each run of Export-LibraryArtifact within +# the loop. If a value needed by Export-LibraryArtifact is +# missing, it will use the default value specified in the +# defaultConfig object. +$exportConfig = @() +# Add Policy Definition source files to $exportConfig +$exportConfig += $policyDefinitionFilePaths | +ForEach-Object { + [PsCustomObject]@{ + inputPath = $_ + resourceTypeFilter = "Microsoft.Authorization/policyDefinitions" + fileNamePrefix = "policy_definitions/policy_definition_es_" + } +} +# Add Policy Set Definition source files to $exportConfig +$exportConfig += $policySetDefinitionFilePaths | ForEach-Object { + [PsCustomObject]@{ + inputPath = $_ + resourceTypeFilter = "Microsoft.Authorization/policySetDefinitions" + fileNamePrefix = "policy_set_definitions/policy_set_definition_es_" + fileNameSuffix = ".json" + } +} + +# If the -Reset parameter is set, delete all existing +# artefacts (by resource type) from the library +if ($Reset) { + Write-Information "Deleting existing Policy Definitions from library." -InformationAction Continue + Remove-Item -Path "$TargetPath/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/" -Recurse -Force + Write-Information "Deleting existing Policy Set Definitions from library." -InformationAction Continue + Remove-Item -Path "$TargetPath/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/" -Recurse -Force +} + +# Process the files added to $exportConfig, to add content +# to the library +foreach ($config in $exportConfig) { + Export-LibraryArtifact ` + -InputPath ($config.inputPath ?? $defaultConfig.inputPath) ` + -InputFilter ($config.inputFilter ?? $defaultConfig.inputFilter) ` + -ResourceTypeFilter ($config.resourceTypeFilter ?? $defaultConfig.resourceTypeFilter) ` + -OutputPath ($config.outputPath ?? $defaultConfig.outputPath) ` + -FileNamePrefix ($config.fileNamePrefix ?? $defaultConfig.fileNamePrefix) ` + -FileNameSuffix ($config.fileNameSuffix ?? $defaultConfig.fileNameSuffix) ` + -ExportFormat:($config.exportFormat ?? $defaultConfig.exportFormat) ` + -Recurse:($config.recurse ?? $defaultConfig.recurse) ` + -LineEnding $LineEnding ` + -WhatIf:$WhatIfPreference +} diff --git a/dependencies/scripts/Invoke-PolicyToBicep-China.ps1 b/dependencies/scripts/Invoke-PolicyToBicep-China.ps1 new file mode 100644 index 00000000..e629ee58 --- /dev/null +++ b/dependencies/scripts/Invoke-PolicyToBicep-China.ps1 @@ -0,0 +1,293 @@ +<# +SUMMARY: This PowerShell script helps with the authoring of the policy definiton module for Azure China by outputting information required for the variables within the module. +DESCRIPTION: This PowerShell script outputs the Name & Path to a Bicep structured .txt file named '_mc_policyDefinitionsBicepInput.txt' (defintionsTxtFileName) and '_mc_policySetDefinitionsBicepInput.txt' (defintionsSetTxtFileName) respectively. It also creates a parameters file for each of the policy set definitions. It also outputs the number of policy and policy set definition files to the console for easier reviewing as part of the PR process. +AUTHOR/S: faister, jtracey93, seseicht +VERSION: 2.0.0 +#> +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "", Justification = "False Positive")] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseBOMForUnicodeEncodedFile", "", Justification = "False Positive")] + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()] + [string] + $rootPath = "./infra-as-code/bicep/modules/policy", + [string] + $alzToolsPath = "$PWD/../Enterprise-Scale/src/Alz.Tools", + [string] + $definitionsRoot = "definitions", + [string] + $lineEnding = "unix", + [string] + $definitionsPath = "lib/china/policy_definitions", + [string] + $definitionsLongPath = "$definitionsRoot/$definitionsPath", + [string] + $definitionsSetPath = "lib/china/policy_set_definitions", + [string] + $definitionsSetLongPath = "$definitionsRoot/$definitionsSetPath", + [string] + $assignmentsRoot = "assignments", + [string] + $assignmentsPath = "lib/china/policy_assignments", + [string] + $assignmentsLongPath = "$assignmentsRoot/$assignmentsPath", + [string] + $defintionsTxtFileName = "_mc_policyDefinitionsBicepInput.txt", + [string] + $defintionsSetTxtFileName = "_mc_policySetDefinitionsBicepInput.txt", + [string] + $assignmentsTxtFileName = "_mc_policyAssignmentsBicepInput.txt", + [array] + $excludedPolicySetChildDefinitionsReferenceIds = @("AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", "defenderForSqlServerVirtualMachines", "defenderForOssDb", "defenderForCosmosDbs", "defenderForAppServices", "defenderForStorageAccounts", "defenderForKeyVaults") +) + +# This script relies on a custom set of classes and functions +# defined within the Alz.Tools PowerShell module. +Import-Module $alzToolsPath -ErrorAction Stop + +# Line Endings function to be used in three functions below +function Update-FileLineEndingType { + [CmdletBinding(SupportsShouldProcess)] + param( + [string] + $filePath + ) + + (Get-Content $filePath | Edit-LineEndings -LineEnding $LineEnding) | Out-File $filePath +} + +#region Policy Definitions +function New-PolicyDefinitionsBicepInputTxtFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "====> Creating/Emptying '$defintionsTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Value $null -Encoding "utf8" + + Write-Information "====> Looping Through Policy Definitions:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + + $policyDefinitionName = $policyDef.name + $fileName = $_.Name + $policyDefMetadataAlzCloudEnvironments = $policyDef.properties.metadata.alzCloudEnvironments + + if ($policyDefMetadataAlzCloudEnvironments -contains "AzureChinaCloud") { + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Encoding "utf8" -Value "{`r`n`tname: '$policyDefinitionName'`r`n`tlibDefinition: loadJsonContent('$definitionsPath/$fileName')`r`n}" + } + else { + Write-Information "==> Skipping '$policyDefinitionName' as metadata 'alzCloudEnvironments' does not contain 'AzureChinaCloud'" -InformationAction Continue + } + + } + + Write-Information "====> Running '$defintionsTxtFileName' through Line Endings" -InformationAction Continue + Update-FileLineEndingType -filePath "$rootPath/$definitionsLongPath/$defintionsTxtFileName" + + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Definitions Total: $policyDefCountString" -InformationAction Continue +} +#endregion + +#region Policy Set Definitions +function New-PolicySetDefinitionsBicepInputTxtFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "====> Creating/Emptying '$defintionsSetTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value $null -Encoding "utf8" + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value "var varCustomPolicySetDefinitionsArray = [" -Encoding "utf8" + + Write-Information "====> Looping Through Policy Set/Initiative Definition:" -InformationAction Continue + + $policySetDefParamVarList = @() + + Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + + # Load child Policy Set/Initiative Definitions + $policyDefinitions = $policyDef.properties.policyDefinitions | Sort-Object -Property policyDefinitionReferenceId + + $policyDefinitionName = $policyDef.name + $fileName = $_.Name + + $policyDefMetadataAlzCloudEnvironments = $policyDef.properties.metadata.alzCloudEnvironments + + if ($policyDefMetadataAlzCloudEnvironments -contains "AzureChinaCloud") { + + # Construct file name for Policy Set/Initiative Definitions parameters files + $parametersFileName = $fileName.Substring(0, $fileName.Length - 5) + ".parameters.json" + + # Create Policy Set/Initiative Definitions parameter file + Write-Information "==> Creating/Emptying '$parametersFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value $null -Encoding "utf8" + + # Loop through all Policy Set/Initiative Definitions Child Definitions and create parameters file for each of them + [System.Collections.Hashtable]$definitionParametersOutputJSONObject = [ordered]@{} + $policyDefinitions | Sort-Object | ForEach-Object { + $definitionReferenceId = $_.policyDefinitionReferenceId + $definitionParameters = $_.parameters + + if ($definitionReferenceId -notin $excludedPolicySetChildDefinitionsReferenceIds) { + + if ($definitionParameters) { + $definitionParameters | Sort-Object | ForEach-Object { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", $_) + } + } + else { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", @{}) + } + + $definitionParametersOutputJSONObject.Add("$definitionReferenceId", $definitionParametersOutputArray) + } + else { + Write-Information "==> Skipping '$definitionReferenceId' as it is in the excluded list" -InformationAction Continue + } + } + + Write-Information "==> Adding parameters to '$parametersFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObject | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Sort parameters file alphabetically to remove false git diffs + Write-Information "==> Sorting parameters file '$parametersFileName' alphabetically" -InformationAction Continue + $definitionParametersOutputJSONObjectSorted = New-Object PSCustomObject + Get-Content -Raw -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" | ConvertFrom-Json -pv fromPipe -Depth 10 | + Get-Member -Type NoteProperty | Sort-Object Name | ForEach-Object { + Add-Member -InputObject $definitionParametersOutputJSONObjectSorted -Type NoteProperty -Name $_.Name -Value $fromPipe.$($_.Name) + } + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObjectSorted | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Check if variable exists before trying to clear it + if ($policySetDefinitionsOutputForBicep) { + Clear-Variable -Name policySetDefinitionsOutputForBicep -ErrorAction Continue + } + + # Create HashTable variable + [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{} + + # Loop through child Policy Set/Initiative Definitions if HashTable not == 0 + if (($policyDefinitions.Count) -ne 0) { + $policyDefinitions | Sort-Object | ForEach-Object { + if ($null -ne $_.groupNames -and $_.groupNames.Count -ne 0) { + $joinedGroupNames = "'" + ($_.groupNames -join "','" ) + "'" + $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, $joinedGroupNames)) + } + else { + $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, "")) + } + } + } + + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + $policySetDefParamVarTrimJsonExt = $parametersFileName.TrimEnd("json").Replace('.', '_') + $policySetDefParamVarCreation = "var" + ($policySetDefParamVarTrimJsonExt -replace '(?:^|_|-)(\p{L})', { $_.Groups[1].Value.ToUpper() }).TrimEnd('_') + $policySetDefParamVar = "var " + $policySetDefParamVarCreation + " = " + "loadJsonContent('$definitionsSetPath/$parametersFileName')" + $policySetDefParamVarList += $policySetDefParamVar + + # Start output file creation of Policy Set/Initiative Definitions for Bicep + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsSetTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t{`r`n`t`tname: '$policyDefinitionName'`r`n`t`tlibSetDefinition: loadJsonContent('$definitionsSetPath/$fileName')`r`n`t`tlibSetChildDefinitions: [" + + # Loop through child Policy Set/Initiative Definitions for Bicep output if HashTable not == 0 + if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { + $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { + $definitionReferenceId = $_ + $definitionReferenceIdForParameters = $_ + $definitionId = $($policySetDefinitionsOutputForBicep[$_][0]) + $groups = $($policySetDefinitionsOutputForBicep[$_][1]) + + if ($definitionReferenceId -notin $excludedPolicySetChildDefinitionsReferenceIds) { + + # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping + if ($definitionReferenceId.Contains("'")) { + $definitionReferenceId = $definitionReferenceId.Replace("'", "\'") + } + + if ($definitionReferenceIdForParameters.Contains("'")) { + $definitionReferenceIdForParameters = $definitionReferenceIdForParameters.Replace("'", "\'") + } + + # If definitionReferenceId contains, then wrap in definitionReferenceId value in [] to comply with bicep formatting + if ($definitionReferenceIdForParameters.Contains("-") -or $definitionReferenceIdForParameters.Contains(" ") -or $definitionReferenceIdForParameters.Contains("\'")) { + $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']" + + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t}" + } + else { + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t}" + } + } + else { + Write-Information "==> Skipping '$definitionReferenceId' as it is in the excluded list" -InformationAction Continue + } + } + } + + # Finish output file creation of Policy Set/Initiative Definitions for Bicep + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t]`r`n`t}" + } + else { + Write-Information "==> Skipping '$policyDefinitionName' as metadata 'alzCloudEnvironments' does not contain 'AzureChinaCloud'" -InformationAction Continue + } + } + + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "]`r`n" + + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`r`n// Policy Set/Initiative Definition Parameter Variables`r`n" + $policySetDefParamVarList | ForEach-Object { + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "$_`r`n" + } + + Write-Information "====> Running '$defintionsSetTxtFileName' through Line Endings" -InformationAction Continue + Update-FileLineEndingType -filePath "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" + + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue +} +#endregion + +#region # # Policy Asssignmts - separaee policy asnignments for Azure China due to different policy definitions - missing built-in policies, and featurests - separate policy assignments for Azure China due to different policy definitions - missing built-in policies, and features +function New-PolicyAssignmentsBicepInputTxtFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "====> Creating/Emptying '$assignmentsTxtFileName '" -InformationAction Continue + Set-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Value $null -Encoding "utf8" + + Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | ForEach-Object { + $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + + $policyAssignmentName = $policyAssignment.name + $policyAssignmentDefinitionID = $policyAssignment.properties.policyDefinitionId + $fileName = $_.Name + + # Remove hyphens from Policy Assignment Name + $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-", "") + + Write-Information "==> Adding '$policyAssignmentName' to '$PWD/$assignmentsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: loadJsonContent('../../../policy/$assignmentsLongPath/$fileName')`r`n}`r`n" + } + + Write-Information "====> Running '$assignmentsTxtFileName' through Line Endings" -InformationAction Continue + Update-FileLineEndingType -filePath "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" + + $policyAssignmentCount = Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | Measure-Object + $policyAssignmentCountString = $policyAssignmentCount.Count + Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue +} +#endregion + +New-PolicyDefinitionsBicepInputTxtFile +New-PolicySetDefinitionsBicepInputTxtFile +New-PolicyAssignmentsBicepInputTxtFile diff --git a/dependencies/scripts/Invoke-PolicyToBicep.ps1 b/dependencies/scripts/Invoke-PolicyToBicep.ps1 new file mode 100644 index 00000000..c1a3b767 --- /dev/null +++ b/dependencies/scripts/Invoke-PolicyToBicep.ps1 @@ -0,0 +1,263 @@ +<# +SUMMARY: This PowerShell script helps with the authoring of the policy definiton module by outputting information required for the variables within the module. +DESCRIPTION: This PowerShell script outputs the Name & Path to a Bicep structured .txt file named '_policyDefinitionsBicepInput.txt' ($defintionsTxtFileName) and '_policySetDefinitionsBicepInput.txt' ($defintionsSetTxtFileName) respectively. It also creates a parameters file for each of the policy set definitions. It also outputs the number of policy and policy set definition files to the console for easier reviewing as part of the PR process. +AUTHOR/S: jtracey93, seseicht +VERSION: 2.0.0 +#> +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "", Justification = "False Positive")] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseBOMForUnicodeEncodedFile", "", Justification = "False Positive")] + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()] + [string] + $rootPath = "./infra-as-code/bicep/modules/policy", + [string] + $alzToolsPath = "$PWD/../../dependencies/Alz.Tools", + [string] + $definitionsRoot = "definitions", + [string] + $lineEnding = "unix", + [string] + $definitionsPath = "lib/policy_definitions", + [string] + $definitionsLongPath = "$definitionsRoot/$definitionsPath", + [string] + $definitionsSetPath = "lib/policy_set_definitions", + [string] + $definitionsSetLongPath = "$definitionsRoot/$definitionsSetPath", + [string] + $assignmentsRoot = "assignments", + [string] + $assignmentsPath = "lib/policy_assignments", + [string] + $assignmentsLongPath = "$assignmentsRoot/$assignmentsPath", + [string] + $defintionsTxtFileName = "_policyDefinitionsBicepInput.txt", + [string] + $defintionsSetTxtFileName = "_policySetDefinitionsBicepInput.txt", + [string] + $assignmentsTxtFileName = "_policyAssignmentsBicepInput.txt" +) + +# This script relies on a custom set of classes and functions +# defined within the Alz.Tools PowerShell module. +Import-Module $alzToolsPath -ErrorAction Stop + +# Line Endings function to be used in three functions below +function Update-FileLineEndingType { + [CmdletBinding(SupportsShouldProcess)] + param( + [string] + $filePath + ) + + (Get-Content $filePath | Edit-LineEndings -LineEnding $LineEnding) | Out-File $filePath +} + +#region Policy Definitions +function New-PolicyDefinitionsBicepInputTxtFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "====> Creating/Emptying '$defintionsTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Value $null -Encoding "utf8" + + Write-Information "====> Looping Through Policy Definitions:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + + $policyDefinitionName = $policyDef.name + $fileName = $_.Name + + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsLongPath/$defintionsTxtFileName" -Encoding "utf8" -Value "{`r`n`tname: '$policyDefinitionName'`r`n`tlibDefinition: loadJsonContent('$definitionsPath/$fileName')`r`n}" + } + + Write-Information "====> Running '$defintionsTxtFileName' through Line Endings" -InformationAction Continue + Update-FileLineEndingType -filePath "$rootPath/$definitionsLongPath/$defintionsTxtFileName" + + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsLongPath" -Filter "*.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Definitions Total: $policyDefCountString" -InformationAction Continue +} +#endregion + +#region Policy Set Definitions +function New-PolicySetDefinitionsBicepInputTxtFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "====> Creating/Emptying '$defintionsSetTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value $null -Encoding "utf8" + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Value "var varCustomPolicySetDefinitionsArray = [" -Encoding "utf8" + + Write-Information "====> Looping Through Policy Set/Initiative Definition:" -InformationAction Continue + + $policySetDefParamVarList = @() + + Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | ForEach-Object { + $policyDef = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + + # Load child Policy Set/Initiative Definitions + $policyDefinitions = $policyDef.properties.policyDefinitions | Sort-Object -Property policyDefinitionReferenceId + + $policyDefinitionName = $policyDef.name + $fileName = $_.Name + + # Construct file name for Policy Set/Initiative Definitions parameters files + $parametersFileName = $fileName.Substring(0, $fileName.Length - 5) + ".parameters.json" + + # Create Policy Set/Initiative Definitions parameter file + Write-Information "==> Creating/Emptying '$parametersFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value $null -Encoding "utf8" + + # Loop through all Policy Set/Initiative Definitions Child Definitions and create parameters file for each of them + [System.Collections.Hashtable]$definitionParametersOutputJSONObject = [ordered]@{} + $policyDefinitions | Sort-Object | ForEach-Object { + $definitionReferenceId = $_.policyDefinitionReferenceId + $definitionParameters = $_.parameters + + if ($definitionParameters) { + $definitionParameters | Sort-Object | ForEach-Object { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", $_) + } + } + else { + [System.Collections.Hashtable]$definitionParametersOutputArray = [ordered]@{} + $definitionParametersOutputArray.Add("parameters", @{}) + } + + $definitionParametersOutputJSONObject.Add("$definitionReferenceId", $definitionParametersOutputArray) + } + Write-Information "==> Adding parameters to '$parametersFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObject | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Sort parameters file alphabetically to remove false git diffs + Write-Information "==> Sorting parameters file '$parametersFileName' alphabetically" -InformationAction Continue + $definitionParametersOutputJSONObjectSorted = New-Object PSCustomObject + Get-Content -Raw -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" | ConvertFrom-Json -pv fromPipe -Depth 10 | + Get-Member -Type NoteProperty | Sort-Object Name | ForEach-Object { + Add-Member -InputObject $definitionParametersOutputJSONObjectSorted -Type NoteProperty -Name $_.Name -Value $fromPipe.$($_.Name) + } + Set-Content -Path "$rootPath/$definitionsSetLongPath/$parametersFileName" -Value ($definitionParametersOutputJSONObjectSorted | ConvertTo-Json -Depth 10) -Encoding "utf8" + + # Check if variable exists before trying to clear it + if ($policySetDefinitionsOutputForBicep) { + Clear-Variable -Name policySetDefinitionsOutputForBicep -ErrorAction Continue + } + + # Create HashTable variable + [System.Collections.Hashtable]$policySetDefinitionsOutputForBicep = [ordered]@{} + + # Loop through child Policy Set/Initiative Definitions if HashTable not == 0 + if (($policyDefinitions.Count) -ne 0) { + $policyDefinitions | Sort-Object | ForEach-Object { + if ($null -ne $_.groupNames -and $_.groupNames.Count -ne 0) { + $joinedGroupNames = "'" + ($_.groupNames -join "','" ) + "'" + $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, $joinedGroupNames)) + } + else { + $policySetDefinitionsOutputForBicep.Add($_.policyDefinitionReferenceId, @($_.policyDefinitionId, "")) + } + } + } + + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + $policySetDefParamVarTrimJsonExt = $parametersFileName.TrimEnd("json").Replace('.', '_') + $policySetDefParamVarCreation = "var" + ($policySetDefParamVarTrimJsonExt -replace '(?:^|_|-)(\p{L})', { $_.Groups[1].Value.ToUpper() }).TrimEnd('_') + $policySetDefParamVar = "var " + $policySetDefParamVarCreation + " = " + "loadJsonContent('$definitionsSetPath/$parametersFileName')" + $policySetDefParamVarList += $policySetDefParamVar + + # Start output file creation of Policy Set/Initiative Definitions for Bicep + Write-Information "==> Adding '$policyDefinitionName' to '$PWD/$defintionsSetTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t{`r`n`t`tname: '$policyDefinitionName'`r`n`t`tlibSetDefinition: loadJsonContent('$definitionsSetPath/$fileName')`r`n`t`tlibSetChildDefinitions: [" + + # Loop through child Policy Set/Initiative Definitions for Bicep output if HashTable not == 0 + if (($policySetDefinitionsOutputForBicep.Count) -ne 0) { + $policySetDefinitionsOutputForBicep.Keys | Sort-Object | ForEach-Object { + $definitionReferenceId = $_ + $definitionReferenceIdForParameters = $_ + $definitionId = $($policySetDefinitionsOutputForBicep[$_][0]) + $groups = $($policySetDefinitionsOutputForBicep[$_][1]) + + # If definitionReferenceId or definitionReferenceIdForParameters contains apostrophes, replace that apostrophe with a backslash and an apostrohphe for Bicep string escaping + if ($definitionReferenceId.Contains("'")) { + $definitionReferenceId = $definitionReferenceId.Replace("'", "\'") + } + + if ($definitionReferenceIdForParameters.Contains("'")) { + $definitionReferenceIdForParameters = $definitionReferenceIdForParameters.Replace("'", "\'") + } + + # If definitionReferenceId contains, then wrap in definitionReferenceId value in [] to comply with bicep formatting + if ($definitionReferenceIdForParameters.Contains("-") -or $definitionReferenceIdForParameters.Contains(" ") -or $definitionReferenceIdForParameters.Contains("\'") -or $definitionReferenceIdForParameters -match '^[0-9].+') { + $definitionReferenceIdForParameters = "['$definitionReferenceIdForParameters']" + + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable, without the '.' before the definitionReferenceId to make it an accessor + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t}" + } + else { + # Add nested array of objects to each Policy Set/Initiative Definition in the Bicep variable + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t`t{`r`n`t`t`t`tdefinitionReferenceId: '$definitionReferenceId'`r`n`t`t`t`tdefinitionId: '$definitionId'`r`n`t`t`t`tdefinitionParameters: $policySetDefParamVarCreation.$definitionReferenceIdForParameters.parameters`r`n`t`t`t`tdefinitionGroups: [$groups]`r`n`t`t`t}" + } + } + } + + # Finish output file creation of Policy Set/Initiative Definitions for Bicep + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`t`t]`r`n`t}" + + } + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "]`r`n" + + # Add Policy Set/Initiative Definition Parameter Variables to Bicep Input File + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "`r`n// Policy Set/Initiative Definition Parameter Variables`r`n" + $policySetDefParamVarList | ForEach-Object { + Add-Content -Path "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" -Encoding "utf8" -Value "$_`r`n" + } + + Write-Information "====> Running '$defintionsSetTxtFileName' through Line Endings" -InformationAction Continue + Update-FileLineEndingType -filePath "$rootPath/$definitionsSetLongPath/$defintionsSetTxtFileName" + + $policyDefCount = Get-ChildItem -Recurse -Path "$rootPath/$definitionsSetLongPath" -Filter "*.json" -Exclude "*.parameters.json" | Measure-Object + $policyDefCountString = $policyDefCount.Count + Write-Information "====> Policy Set/Initiative Definitions Total: $policyDefCountString" -InformationAction Continue +} +#endregion + +#region Policy Asssignments +function New-PolicyAssignmentsBicepInputTxtFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "====> Creating/Emptying '$assignmentsTxtFileName'" -InformationAction Continue + Set-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Value $null -Encoding "utf8" + + Write-Information "====> Looping Through Policy Assignments:" -InformationAction Continue + Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | ForEach-Object { + $policyAssignment = Get-Content $_.FullName | ConvertFrom-Json -Depth 100 + + $policyAssignmentName = $policyAssignment.name + $policyAssignmentDefinitionID = $policyAssignment.properties.policyDefinitionId + $fileName = $_.Name + + # Remove hyphens from Policy Assignment Name + $policyAssignmentNameNoHyphens = $policyAssignmentName.replace("-", "") + + Write-Information "==> Adding '$policyAssignmentName' to '$PWD/$assignmentsTxtFileName'" -InformationAction Continue + Add-Content -Path "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" -Encoding "utf8" -Value "var varPolicyAssignment$policyAssignmentNameNoHyphens = {`r`n`tdefinitionId: '$policyAssignmentDefinitionID'`r`n`tlibDefinition: loadJsonContent('../../../policy/$assignmentsLongPath/$fileName')`r`n}`r`n" + } + + Write-Information "====> Running '$assignmentsTxtFileName' through Line Endings" -InformationAction Continue + Update-FileLineEndingType -filePath "$rootPath/$assignmentsLongPath/$assignmentsTxtFileName" + + $policyAssignmentCount = Get-ChildItem -Recurse -Path "$rootPath/$assignmentsLongPath" -Filter "*.json" | Measure-Object + $policyAssignmentCountString = $policyAssignmentCount.Count + Write-Information "====> Policy Assignments Total: $policyAssignmentCountString" -InformationAction Continue +} +#endregion + +New-PolicyDefinitionsBicepInputTxtFile +New-PolicySetDefinitionsBicepInputTxtFile +New-PolicyAssignmentsBicepInputTxtFile diff --git a/dependencies/scripts/Set-AlzDefaultPolicyAssignment.ps1 b/dependencies/scripts/Set-AlzDefaultPolicyAssignment.ps1 new file mode 100644 index 00000000..ade5df13 --- /dev/null +++ b/dependencies/scripts/Set-AlzDefaultPolicyAssignment.ps1 @@ -0,0 +1,33 @@ + +param ( + #Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant + [Parameter(Mandatory = $true)] [string] $ManagementGroupId, + [Parameter(Mandatory = $true)] [string] $parLocation, + [Parameter(Mandatory = $true)] [string] $templateFile, + [Parameter(Mandatory = $true)] [string] $parameterFile, + [Parameter(Mandatory = $true)] [string] $parTopLevelManagementGroupPrefix, + [Parameter(Mandatory = $true)] [string] $parLogAnalyticsWorkSpaceAndAutomationAccountLocation, + [Parameter(Mandatory = $true)] [string] $parLogAnalyticsWorkspaceResourceID, + [Parameter(Mandatory = $true)] [string] $parDdosProtectionPlanId, + [Parameter(Mandatory = $true)] [string] $parPrivateDnsResourceGroupId +) +$state = 'fail' +$i = 0 +$err.clear +while ($i -lt 4 -and $state -eq 'fail') { + $ErrorActionPreference = "Stop" + Try { + New-AzManagementGroupDeployment -Managementgroupid $ManagementGroupId -Location $parLocation -TemplateFile $templateFile -TemplateParameterFile $parameterFile -parTopLevelManagementGroupPrefix $parTopLevelManagementGroupPrefix -parLogAnalyticsWorkSpaceAndAutomationAccountLocation $parLogAnalyticsWorkSpaceAndAutomationAccountLocation -parLogAnalyticsWorkspaceResourceID $parLogAnalyticsWorkspaceResourceID -parDdosProtectionPlanId $parDdosProtectionPlanId -parPrivateDnsResourceGroupId $parPrivateDnsResourceGroupId + $state = 'success' + } + Catch { + $i++ + Write-Output "ALZ Default Policy Assignments module failed to deploy with $error" + Write-Output "Iteration number $i" + Write-Output "Will retry in 30 seconds" + Start-Sleep -Seconds 30 + } +} +If ($state -eq 'fail') { + Throw "ALZ Default Policy Assignments module failed to deploy after $i attempts" +} diff --git a/dependencies/scripts/Update-ProviderApiVersionsZip.ps1 b/dependencies/scripts/Update-ProviderApiVersionsZip.ps1 new file mode 100644 index 00000000..6f84ca21 --- /dev/null +++ b/dependencies/scripts/Update-ProviderApiVersionsZip.ps1 @@ -0,0 +1,30 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Update the ProviderApiVersions.zip file stored in the module +# +# Requires an authentication session PowerShell session to Azure +# and should be run from the same location as the script unless +# the -Directory parameter is specified. +# + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()][String]$Directory = "$PWD/EnterpriseScaleLibraryTools" +) + +$ErrorActionPreference = "Stop" + +# This script relies on a custom set of classes and functions +# defined within the EnterpriseScaleLibraryTools PowerShell +# module. +$esltModulePath = "$Directory/EnterpriseScaleLibraryTools.psm1" +Import-Module $esltModulePath -ErrorAction Stop + +Write-Information "Updating ProviderApiVersions in module." -InformationAction Continue +if ($PSCmdlet.ShouldProcess($Directory)) { + Invoke-UpdateCacheInModule($Directory) +} + +Write-Information "... Complete" -InformationAction Continue diff --git a/docs/01-Overview.md b/docs/01-Overview.md new file mode 100644 index 00000000..7f231be8 --- /dev/null +++ b/docs/01-Overview.md @@ -0,0 +1,27 @@ +# Understanding the Sovereign Landing Zone (SLZ) Preview + +## The Sovereign Landing Zone (SLZ) Preview + +The [Sovereign Landing Zone Preview](https://learn.microsoft.com/industry/sovereignty/slz-overview) is a [Microsoft Cloud for Sovereignty](https://learn.microsoft.com/industry/sovereignty/) offering that is an opinionated variant of the [Azure Landing Zone](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/), which provides an enterprise scale cloud infrastructure designed to help an organization meet their sovereignty requirements such as those related to operational control of data at rest, in transit, and in use. + +With the SLZ Preview a customer can create a cloud architecture that provides controls for service location management, [customer managed keys](https://learn.microsoft.com/azure/security/fundamentals/key-management) and [confidential computing](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) as core components of the architecture. This enterprise scale cloud architecture bundled with policies and compliance reporting enables customers to create a platform for the secure and sovereign deployment of their workloads. + +## Differences between the Sovereign Landing Zone Preview and an Azure Landing Zone + +The SLZ Preview comes with the [Sovereignty Policy Baseline](scenarios/Sovereignty-Policy-Baseline.md) built-in and enables other policy sets such as the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) to be deployed within the SLZ Preview and policy sets that support control frameworks such as [NIST 800-171 rev2](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2) and [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/security/benchmark/azure/overview) to be layered on top of the SLZ Preview. With the Sovereignty Policy Baseline a customer can enforce the use of confidential computing and key management resources for appropriately implemented workloads to be deployed into confidential management groups allowing workload data to be protected at rest, in transit, and while in use thereby supporting an organization in achieving their data sovereignty goals. + +The SLZ Preview provides this through custom orchestration permitting an entire landing zone to be configured from a singular parameter file and deployed with a single command allowing organizations to quickly test out the SLZ Preview. + +## Benefits of using Sovereign Landing Zone (SLZ) Preview + +Securing government workloads in a public cloud is challenging. The SLZ Preview automates the creation of a cloud environment where security and data sovereignty controls can be enforced by policies. The entire deployment is automated so that it can be integrated into existing pipelines as part of a mature DevSecOps ecosystem. + +## Conclusion + +If you need the scale and flexibility of the public cloud combined with the peace of mind of knowing that data is encrypted at rest, in transit, and while in use, then you can benefit from the SLZ Preview. View our [common scenarios](scenarios/README.md) for more details about how to use the SLZ Preview or follow the next steps to get started. + +## Next step + +[Architecture of the Sovereign Landing Zone Preview.](02-Architecture.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/02-Architecture.md b/docs/02-Architecture.md new file mode 100644 index 00000000..1f1d0ddb --- /dev/null +++ b/docs/02-Architecture.md @@ -0,0 +1,24 @@ +# Architecture of the Sovereign Landing Zone (SLZ) Preview + +## Overview + +The SLZ Preview architecture is derived from the Azure Landing Zone architecture. For detailed information about the Azure Landing Zone please visit [here.](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) + +The SLZ Preview is composed of a management group hierarchy along with common platform resources to facilitate networking, logging, and managed service identities. Application workloads can be deployed into a SLZ Preview environment in 1 of the 4 default landing zones: + +- **Corp** - Non-internet facing, non-confidential workloads +- **Online** - Internet facing, non-confidential workloads +- **Confidential Corp** - Non-internet facing, confidential workloads (only allows confidential computing resources to be used) +- **Confidential Online** - Internet facing, confidential workloads (only allows confidential computing resources to be used) + +The assigned policies in each of the landing zones are designed to support the behavior and connectivity profiles of the workloads deployed. Organizations can [create new management groups](scenarios/Expanding-SLZ-ManagementGroups.md) and further customize the assigned policies as is necessary. + +The SLZ Preview deploys under the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) in Azure, so it can support brownfield deployments, greenfield deployments, and multiple SLZ Preview deployments within the same tenant based on customer need. The SLZ Preview can also be deployed to an arbitrary [child management group](scenarios/Piloting-SLZ.md), which is better suited for conducting a proof-of-concept. + +![SLZ Preview Architecture Diagram](images/sovereign-scale-architecture.png) + +## Next Step + +[Overview of the Sovereign Landing Zone Preview deployment](03-Deployment-Overview.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/03-Deployment-Overview.md b/docs/03-Deployment-Overview.md new file mode 100644 index 00000000..0ccd0b62 --- /dev/null +++ b/docs/03-Deployment-Overview.md @@ -0,0 +1,21 @@ +# Key Components of the Sovereign Landing Zone Preview Deployment + +## Components + +The Sovereign Landing Zone Preview consists of several components that are deployed as part of a full deployment. Each of the components are described below: + +1. **Bootstrap**: Sets up the management group hierarchy and creates the subscriptions as dictated by the architecture of the SLZ Preview. These are deployed under the tenant root group of the Azure customer tenant by default, although they can also be deployed under any [child management group](scenarios/Piloting-SLZ.md). + +2. **Platform**: Sets up the hub network and logging resources used by the SLZ Preview platform and workloads. + +3. **Compliance**: Creates definitions and assigns the [default policy sets](scenarios/Sovereignty-Policy-Baseline.md) and provided custom policies to be enforced in the environment. For information on how to provide custom policies to the SLZ Preview read [here.](09-Customize-Policies.md) + +4. **Dashboard**: Provides customers with a visual representation of their Azure policy compliance. For additional information about the dashboard please read [here.](10-Compliance-Dashboard.md) + +Once the deployment is complete, the customer will have the Sovereign Landing Zone Preview setup for their use, with a base set of policies applied. Customers can then begin to migrate workloads and apply additional policies as necessary. For more information about how these deployment steps can be ran individually or how a deployment can be automated, checkout the [SLZ Preview Pipeline Deployments](scenarios/Pipeline-Deployments.md) doc. + +## Next step + +[Getting started with the GitHub Repository](04-Repository-Setup.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/04-Repository-Setup.md b/docs/04-Repository-Setup.md new file mode 100644 index 00000000..6e8453f1 --- /dev/null +++ b/docs/04-Repository-Setup.md @@ -0,0 +1,31 @@ +# Set up the Sovereign Landing Zone Preview Repository + +Below are some options for setting up the [SLZ Preview GitHub repository](https://github.com/Azure/sovereign-landing-zone) for your use. We recommend that you use the process that is best suited for your organization. + +## Download the GitHub Repository + +### Option 1 (Recommended) + +For contributing and best practice for receiving updates, follow the steps outlined here to [clone or fork the repository](https://docs.github.com/en/get-started/quickstart/fork-a-repo). +#### Clone Repository +``` +git clone https://github.com/Azure/sovereign-landing-zone +``` +#### Fork Repository + ![Fork Repository screenshot](images/forkgithubrepo.png) + +The version of the SLZ Preview being used can be determined from the [git tag](https://git-scm.com/docs/git-tag) or the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the clone or fork was made from. + +### Option 2 + +If you do not plan on contributing or do not intend to receive updates, you can simply download a copy of the [repository](https://github.com/Azure/sovereign-landing-zone) to your local machine, and unzip. + + ![Screenshot of .zip download](images/downloadzipofrepo.png) + +The version of the SLZ Preview being used can be determined from the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the zip file was downloaded from. The version number will be in the file name of the zip file. + +## Next step + +[Confirm your Permissions and necessary tooling](05-Permissions-Tooling.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/05-Permissions-Tooling.md b/docs/05-Permissions-Tooling.md new file mode 100644 index 00000000..cc243e70 --- /dev/null +++ b/docs/05-Permissions-Tooling.md @@ -0,0 +1,81 @@ +# Permissions and Tooling + +This article will walk through the required Azure permissions, setting up local tooling, and the validation steps needed for a successful deployment of the Sovereign Landing Zone Preview. + +## Permissions + +The account or service principal used to deploy the SLZ Preview must have both of the following: + +**Note** the reduced permission set listed below is pending completion this feature. Documentation is being left as-is to show the current direction. When the feature is finished, this note will be removed and it will be listed in the release notes. For the time being, Global Administrator with elevated Azure permissions are required. + +1. Ability to create subscriptions programmatically + * The [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription) documentation describes the types of Azure agreements that have REST APIs that will enable automatic subscription creation. + * This document also provides links to the permissions required each Azure agreement type. The agreement type can be found in the [Cost Management + Billing](https://learn.microsoft.com/azure/cost-management-billing/manage/view-all-accounts#check-the-type-of-your-account) blade in the portal. + * Other types of Azure agreements will require using your normal subscription creation process that may be manual. More details can be found in our [additional setup steps](scenarios/Using-Existing-Subscriptions.md) doc. +2. Azure permissions to create management groups, Azure resources, and manage policies. + * For smaller organizations organizations or ones that are new to Azure, [Global Administrator](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#global-administrator) permissions with [elevated Azure permissions](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) will provide sufficient access. + * These may not be reasonable permissions to have within many organizations. + * Otherwise, the management group permissions will need to be either [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner), [Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#contributor), or [Management Group Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#management-group-contributor) at either the [Tenant Root Group](https://learn.microsoft.com/azure/governance/management-groups/overview#hierarchy-of-management-groups-and-subscriptions) or the child management group being deployed within. + * These broad permissions are necessary to deploy all types of Azure resources that the SLZ Preview will attempt to create. The general owner or contributor roles are recommended over using a set of resource specific owner or contributor roles because the SLZ preview deploys a wide spectrum of Azure resources. + * **Note** this is a very broad set of permissions and should be given to only the identities being used to deploy the SLZ Preview. These broad permissions are needed to fully deploy all resources within the SLZ Preview environment, but they should not be needed by operators and engineers working within a deployed SLZ Preview. Review our documentation around [Azure identity and access management](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices) for best practices. + * And the policy management permissions will need to be either [Security Admin](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#security-admin) or [Resource Policy Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#resource-policy-contributor) if the above [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) permission is not provided. + +## Tooling (`Required`) + +The following local tooling must be installed to deploy the SLZ Preview: +* PowerShell + * At least version 7.0 +* Azure CLI + * At least version 2.51.0 +* Azure Bicep + * At least version 0.20.0 +* Azure PowerShell + * At least version 10.0.0 + +### PowerShell + +PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework that runs on Windows, Linux, and macOS. You should use your organization's recommended installation and upgrade process for PowerShell, or [download and upgrade](https://learn.microsoft.com/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.3) it through Microsoft's recommended process. + +Some machines will require upgrading PowerShell. + +### Azure CLI + +The Azure Command-Line Interface (CLI) is a cross-platform command-line tool to connect to Azure and execute administrative commands on Azure resources. You should use your organization's recommended installation and upgrade process for the Azure CLI, or [download and upgrade](https://learn.microsoft.com/cli/azure/install-azure-cli) it through Microsoft's recommended process. + +Most machines will require installing the Azure CLI. + +### Azure Bicep + +Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. You should use your organization's recommended installation and upgrade process for the Azure Bicep, or [download and upgrade](https://learn.microsoft.com/azure/azure-resource-manager/bicep/install#azure-cli) it through Microsoft's recommended process. + +Most machines will require installing Azure Bicep. You may run into upgrade issues if you have multiple versions of Azure Bicep installed so the [troubleshooting problems with Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/installation-troubleshoot#multiple-versions-of-bicep-cli-installed) installation doc may be useful. + +### Azure PowerShell + +Azure PowerShell is a set of cmdlets for managing Azure resources directly from PowerShell. Azure PowerShell is designed to make it easy to learn and get started with, but provides powerful features for automation. You should use your organization's recommended installation and upgrade process for Azure PowerShell, or [download and upgrade](https://learn.microsoft.com/powershell/azure/install-azure-powershell?view=azps-10.4.1) it through Microsoft's recommended process. + +Most machines will require upgrading PowerShell. + +## Validation + +The [Confirm-SovereignLandingZonePrerequisites.ps1](../orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1) will validate that all the necessary prerequisites are in place to deploy the SLZ Preview including both Azure permissions and local tooling. + +This script *will check the versions* of the required tooling and will recommend upgrades but the user must manually install or upgrade the required tooling. The script will provide the same links found on this page to install the tools that are missing or out of date. + +This script *will attempt to elevate your permissions* if required for a [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) level deployment, which is necessary for accounts that are [Global Admins](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#global-administrator) and need Azure permissions. + +1. In your version of the GitHub repository, navigate to `/orchestration/scripts`. +2. Run the `Confirm-SovereignLandingZonePrerequisites.ps1` script. + * If you do not want your permissions elevated or do not need a tenant root group deployment, instead run: + +```./Confirm-SovereignLandingZonePrerequisites.ps1 -parIsSLZDeployedAtTenantRoot $false``` + +You may need to update the PowerShell [execution policy](https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3) depending on your method of downloading the SLZ Preview. If the script runs successfully, then all prerequisites are met, and you may move to the next step. + +## Next step + +**For new deployments**, proceed to [configure the parameters required for the SLZ Preview deployment](07-Deployment-Parameters.md). + +If you are an **existing SLZ Preview customer** and would like to upgrade to the latest version, please follow the instructions in [Upgrade Existing SLZ Preview.](06-Upgrade-Existing-SLZ-Preview.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/06-Upgrade-Existing-SLZ-Preview.md b/docs/06-Upgrade-Existing-SLZ-Preview.md new file mode 100644 index 00000000..f3b7493d --- /dev/null +++ b/docs/06-Upgrade-Existing-SLZ-Preview.md @@ -0,0 +1,67 @@ +# Upgrading an existing Sovereign Landing Zone from Private Preview + +**Note:** This document is intended for customers that have an existing SLZ Preview deployment from one of our Private Previews. If you are deploying the SLZ Preview for the first time or as part of the Public Preview, please go to [Deployment Parameters](07-Deployment-Parameters.md) to continue. + +We are planning for all releases starting with Public Preview to have automatic upgrade steps that require no manual user interaction. However, please review each release note for more details. There are breaking changes introduced with Public Preview that prevent Private Preview upgrades. + +## Parameter File Changes + +Several parameters were changed, renamed, removed, or added. We recommend using the template parameter file provided in the Public Preview repository and updating the values there with the ones that were being used in your Private Preview deployment based upon the guidance below. + +Any parameter that is not mentioned below can have its value copied over without modification. + +### Parameters Changed or Removed + +| | Parameter Name | Status | Action | Notes | +|----|----------------|--------|--------|-------| +| 1 |parTopLevelManagementGroupSuffix|Renamed|Copy the value to the `parDeploymentSuffix` parameter.|This parameter is now called `parDeploymentSuffix` to better reflect its actual usage.| +| 2 |parBillingScopeAccountId|Combined|Record this parameter value and reference the new format in the [deployment parameter doc.](./07-Deployment-Parameters.md)|The parameter has been merged with `parEnrollmentAccountId` and is now called `parSubscriptionBillingScope` to allow for non-EA account types to deploy the SLZ Preview.| +| 3 |parEnrollmentAccountId|Combined|Record this parameter value and reference the new format in the [deployment parameter doc.](./07-Deployment-Parameters.md)|The parameter has been merged with `parBillingScopeAccountId` and is now called `parSubscriptionBillingScope` to allow for non-EA account types to deploy the SLZ Preview.| +| 4 |parEnvironmentType|Removed|None|This parameter has been removed as it is not being used.| + +### Parameters Added + +| | Parameter Name | Status | Action | Notes | +|----|----------------|--------|--------|-------| +| 1 |parDeploymentSuffix|Renamed|Copy the value from `parTopLevelManagementGroupSuffix` parameter.|This parameter was called `parTopLevelManagementGroupSuffix` but it is used for more than the management group suffix.| +| 2 |parTopLevelManagementGroupParentId|Added|None, optional parameter.|This parameter enables SLZ Preview deployments outside the tenant root group level. [More details here.](./scenarios/Piloting-SLZ.md)| +| 3 |parSubscriptionBillingScope|Combined|Copy the `parBillingScopeAccountId` and `parEnrollmentAccountId` values into the new format.|This parameter is a combination of `parBillingScopeAccountId` and `parEnrollmentAccountId` to allow for non-EA account types to deploy the SLZ Preview. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 4 |parCustomSubnets|Added|None, optional parameter.|This parameter allows for more subnets to be added to the hub network. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 5 |parPolicyEffect|Added|None, optional parameter.|This parameter allows changing the [Sovereignty Policy Baseline](./scenarios/Sovereignty-Policy-Baseline.md) assignment effect. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 6 |parDeployLogAnalyticsWorkspace|Added|None, optional parameter.|This parameter toggles between deploying or not deploying Log Analytics Workspace. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 7 |parCustomerPolicySets|Added|None, optional parameter.|This parameter allows for assigning additional policies to the top-level management group scope. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 8 |parTags|Added|None, optional parameter.|This parameter allows for customizing resource tagging. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| + +## Naming Convention Changes + +In an effort to align with ALZ naming conventions, several resources have been renamed. For the following table `prefix` will denote the value of `parDeploymentPrefix`, `suffix` will denote the value of `parDeploymentSuffix`, and `location` will denote the value of `parDeploymentLocation`. + +**Note:** The `parDeploymentSuffix` value does not inherently provide a `-`. If a `-` is needed, it will need to be explicitly provided in the `parDeploymentSuffix` value. + +| | Resource Type | New Naming Format | Notes | +|----|---------------|-------------------|-------| +| 1 |Management Groups|No Change|| +| 2 |Subscriptions|`{prefix}-[NAME]{suffix}`|Where `NAME` is the name of the subscription such as `connectivity`.| +| 3 |Resource Groups|`{prefix}-rg-[NAME]-{location}{suffix}`|Where `NAME` is the name of the resource group such as `hub-network`.| +| 4 |Resources|`{prefix}-[NAME]-{location}{suffix}`|Where `NAME` is the name of the resource such as `hub`.||| + +Due to other Azure requirements around naming for Azure-managed resources or resource definitions that are internal to another resources, some Azure resources may not follow the above conventions. + +## Breaking Changes + +For the most part, Azure resources cannot be renamed as the name is used as the unique identifier for the resource. By using a standardize naming convention for resources deployed by the SLZ Preview, we have changed these names from the Private version of the SLZ Preview, so existing resources cannot be used by the Public version of the SLZ Preview. + +To use the Public version of the SLZ Preview, we recommend the following: + +1. Start with the new parameter file template found in this repository. +2. Copy the parameter values from the Private Preview parameter file to the Public Preview template. + * Update the parameter values as described above. +3. Make sure you are using a `parDeploymentPrefix` and `parDeploymentSuffix` set that is not used by an existing Private Preview deployment. +4. Deploy the SLZ Preview as described in the [following step](08-Deploy-SLZ-Preview.md). +5. Run all post-deployment customizations you've made against this new SLZ Preview deployment. + +## Next step + +Proceed to [configure the parameters required for the SLZ Preview deployment](07-Deployment-Parameters.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/07-Deployment-Parameters.md b/docs/07-Deployment-Parameters.md new file mode 100644 index 00000000..c5d1c212 --- /dev/null +++ b/docs/07-Deployment-Parameters.md @@ -0,0 +1,66 @@ +# Update required parameters + +Before deployment of the Sovereign Landing Zone Preview, the `Required` parameters identified below must be reviewed. The parameter file contains defaults for some values as well as sample values for complex data structures. + + 1. In the Sovereign Landing Zone Preview repository, navigate to the `/orchestration/scripts/parameters` folder. + + 2. Open `sovereignLandingZone.parameters.json` in a text editor. + + 3. Review and update at least the required parameters in the `"value"`: `""` field. Reference [Parameter value descriptions](#parameter-value-descriptions) for guidance on the full parameters available. + * The SLZ Preview deployment script will prompt the user for required values that are missed, but it's recommended to put all values in the parameter file. + + 4. Save the file. + +## Parameter value descriptions + +This section contains descriptions and accepted values for all parameters within the sovereignLandingZone.parameters.json file. The `Used By` column indicates which parameters are used for a specific deployment step. We recommend first time users review and update the parameters marked as `Required` and use the `all` deployment step. + + | | Parameter |Description | Guidance, examples | Used By | + |----|---------------------|---------------|----------------------------------|---------| + | 1 | `Required` parDeploymentPrefix | Prefix added to all Azure resources created by the SLZ Preview. | 5 characters or less; can only contain letters, digits, '-', '.' or '_'. No other special characters supported.
e.g.: slz | all, bootstrap, compliance, platform, dashboard | + | 2 | `Required` parTopLevelManagementGroupName | The name of the top-level management group for the SLZ Preview. | e.g.: Sovereign Landing Zone | all, bootstrap | + | 3 | parDeploymentSuffix | Optional suffix that will be added to all Azure resources created by the the SLZ Preview. Use a '-' at the start of the suffix value if a dash is needed. | 5 characters or less
e.g. test1 | all, bootstrap, compliance, platform, dashboard | + | 4 | parTopLevelManagementGroupParentId | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty (default) will deploy beneath Tenant Root Management Group. | Sample Format - /providers/Microsoft.Management/managementGroups/{mgId} | all, bootstrap | + | 5 | `Required` parSubscriptionBillingScope | The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. | Sample Format (EA): /providers/Microsoft.Billing/BillingAccounts/{BillingAccountId}/enrollmentAccounts/{EnrollmentAccountId}
Sample Format (MCA): /providers/Microsoft.Billing/billingAccounts/{BillingAccountId}
Sample Format (MPA): /providers/Microsoft.Billing/billingAccounts/{BillingAccountId}
etc. | all, bootstrap | + | 6 | `Required` parCustomer | The name of the organization deploying the SLZ Preview to brand the compliance dashboard appropriately. | 128 characters or less
e.g.: Contoso | all, dashboard | + | 7 | `Required` parDeploymentLocation | Location used for deploying Azure resources. | Azure region to use for deployments. *If Confidential Computing is required for your region, please reference the [Confidential Computing](https://learn.microsoft.com/azure/confidential-computing/overview) page for the latest information on availability.*
e.g.: westeurope | all, platform, dashboard | + | 8 | `Required` parAllowedLocations | Full list of Azure regions allowed by policy where resources can be deployed that should include at least the `parDeploymentLocation`. | An array of values (Azure regions).
e.g.: ["eastus2", "westeurope"] | all, compliance | + | 9 | `Required` parAllowedLocationsForConfidentialComputing | Full list of Azure regions allowed by policy where Confidential computing resources can be deployed. This may be a completely different list from `parAllowedLocations`. | An array of values (Azure regions).
e.g.: ["eastus2", "westeurope"] | all, compliance | + | 10 | parDeployDdosProtection | Toggles deployment of Azure DDOS protection. True to deploy, otherwise false. | true; false | all, platform | + | 11 | parDeployHubNetwork | Toggles deployment of the hub VNET. True to deploy, otherwise false. | true; false | all, platform | + | 12 | parEnableFirewall | Toggles deployment of Azure Firewall. True to deploy, otherwise false. | true; false | all, platform | + | 13 | parUsePremiumFirewall | Toggles deployment of the Premium SKU for Azure Firewall and only used if `parEnableFirewall` is enabled. True to use Premium SKU, otherwise false. | true; false | all, platform | + | 14 | parHubNetworkAddressPrefix | CIDR range for the hub VNET. | CIDR range | all, platform | + | 15 | parAzureBastionSubnet | CIDR range for the Azure Bastion subnet. | CIDR range | all, platform | + | 16 | parGatewaySubnet | CIDR range for the Gateway subnet. | CIDR range | all, platform | + | 17 | parAzureFirewallSubnet | CIDR range for the Azure Firewall subnet. | CIDR range | all, platform | + | 18 | parCustomSubnets | List of other subnets to deploy on the hub VNET and their CIDR ranges. | Sample Format: [{"name": "CustomSubnet1", "ipAddressRange": "xx.xx.xx.xx/xx"}, {"name": "CustomSubnet2", "ipAddressRange": "xx.xx.xx.xx/xx"}] | all, platform | + | 19 | parLogRetentionInDays | Length of time, in days, to retain log files with usage enforced by ALZ policies. | Number of days
e.g.: 365 | all, compliance, platform | + | 20 | parManagementSubscriptionId | Optional management subscription ID when using an existing subscription. | Azure Subscription Id
e.g.: /providers/Microsoft.Management/managementGroups/slz-platform-management1 | bootstrap, platform, dashboard | + | 21 | parIdentitySubscriptionId | Optional identity subscription ID when using an existing subscription. | Azure Subscription Id
e.g.: /providers/Microsoft.Management/managementGroups/slz-platform-identity1 | bootstrap, platform | + | 22 | parConnectivitySubscriptionId | Optional connectivity subscription ID when using an existing subscription. | Azure Subscription Id
e.g.: /providers/Microsoft.Management/managementGroups/slz-platform-connectivity1 | bootstrap, platform | + | 23 | parDdosProtectionResourceId | Optional resource ID for an existing DDoS plan with usage enforced by ALZ policies. | DDoS Plan Resource Id
e.g.:/subscriptions/{subId}/resourceGroups/{rgId}/providers/Microsoft.Network/ddosProtectionPlans/slz-ddos-plan-westus21 | platform | + | 24 | parLogAnalyticsWorkspaceId | Optional resource ID for an existing Log Analytics Workspace with usage enforced by ALZ policies. | Log Analytics Workspace Resource Id
e.g.: /subscriptions/{subId}/resourceGroups/{rgId}/providers/Microsoft.OperationalInsights/workspaces/slz-log-analytics-westus21 | compliance | + | 25 | parRequireOwnerRolePermission | Set this to true if any policies in the initiative include a modify effect. | true; false | all, compliance | + | 26 | parPolicyExemptions | Optional list of policy exemptions. | Sample Format:

[{
"parPolicyExemptionManagementGroup":`value`,
"parPolicyAssignmentName":`value`,
"parPolicyAssignmentScopeName":`value`, 
"parPolicyDefinitionReferenceIds":`[]`, 
"parPolicyExemptionName":`value`,
"parPolicyExemptionDisplayName":`value`, 
"parPolicyExemptionDescription":`value` 
}]

`parPolicyExemptionManagementGroup` - Management group being exempted from the assignment scope, e.g.: slz-landingzones-confidential-corp
`parPolicyAssignmentName` - Name of the original policy assignment, e.g.: Deploy-SLZ-Root
`parPolicyAssignmentScopeName` - Top-level management group where policy was assigned, e.g.: slz
`parPolicyDefinitionReferenceIds` - Array of reference IDs of the policies being exempted, e.g.: "['AllowedLocation']" 
`parPolicyExemptionName` - Customized name for exemption, e.g.: Disable-locations
`parPolicyExemptionDisplayName` - Human readable customized name for exemption, e.g.: Disable Locations from Scope 
`parPolicyExemptionDescription` - Description of the exemption, e.g.: Disabling location restrictions defined on the top-level management group to the slz-landingzones-confidential-corp MG | policyexemptions | + | 27 | parExpressRouteGatewayConfig | Optional configuration options for the ExpressRoute Gateway. | ExpressRoute Gateway Configuration

Sample Format:
{
"sku": "standard",
"vpntype": "RouteBased",
"vpnGatewayGeneration": null,
"enableBgp": false,
"activeActive": false,
"enableBgpRouteTranslationForNat": false,
"enableDnsForwarding": false,
"asn": 65515,
"bgpPeeringAddress": "",
"peerWeight": 5
} | all, platform | + | 28 | parVpnGatewayConfig | Optional configuration options for the VPN Gateway. | VPN Gateway Configuration

Sample Format:
{
"sku": "VpnGw1",
"vpntype": "RouteBased",
"generation": "Generation1",
"enableBgp": false,
"activeActive": false,
"enableBgpRouteTranslationForNat": false,
"enableDnsForwarding": false,
"asn": 65515,
"bgpPeeringAddress": "",
"peerWeight": 5
} | all, platform | + | 29 | parDeployBastion | Toggles deployment of Azure Bastion. True to deploy, otherwise false. | true; false | all, platform | + | 30 | parLandingZoneMgChildren | Optional array of child management groups to deploy under the SLZ Preview Landing Zones management group. | Sample Format: [{"id": "mymg", "displayName": "My MG display name"}] | all, bootstrap | + | 31 | parDeployAlzDefaultPolicies | Toggles assignment of ALZ policies. True to deploy, otherwise false. | true; false | all, compliance | + | 32 | parAutomationAccountName | Optional resource name for an existing Azure Automation account with usage enforced by ALZ policies. | Automation Account name
e.g.: slz-managed-identity-westus21 | all, compliance | + | 33 | parPrivateDnsResourceGroupId | Optional resource ID of the Azure Resource Group that contains the Private DNS Zones with usage enforced by ALZ policies. | Resource Group ID
e.g.: /subscriptions/{subId}/resourceGroups/slz-rg-hub-network-westus2 | all, compliance | + | 34 | parMsDefenderForCloudEmailSecurityContact | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. | Email address | all, compliance | + | 35 | parBastionOutboundSshRdpPorts | Array of outbound destination ports and ranges for Azure Bastion. | An array of values (ports)
e.g.: ["22", "3389"] | all, platform | + | 36 | parInvokePolicyScanSync | Toggles executing the policy scan in synchronous mode. True to run policy scan in synchronous mode, False for asynchronous. When set to false, policy remediation needs to be manually triggered once the scan is complete. Note that when policy scan is run asynchronously, there isn't a way to track its progress. | true; false | all, compliance | + | 37 | parInvokePolicyRemediationSync | Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous. | true; false | all, compliance | + | 38 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Policy Baseline. | Choose one: "Audit", "Deny", "Disabled", "DeployIfNotExists", "Modify", "Append", "AuditIfNotExists" | all, compliance | + | 39 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform | + | 40 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ Preview. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.
See the SLZ Preview parameter file for a sample configuration. | all, compliance | + | 41 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ Preview parameter file for a sample configuration. | all, bootstrap, platform, and dashboard | + +## Next step + +[Deploy the Sovereign Landing Zone Preview](08-Deploy-SLZ-Preview.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/08-Deploy-SLZ-Preview.md b/docs/08-Deploy-SLZ-Preview.md new file mode 100644 index 00000000..e4c81d46 --- /dev/null +++ b/docs/08-Deploy-SLZ-Preview.md @@ -0,0 +1,22 @@ +# Deploy the Sovereign Landing Zone Preview using the PowerShell script + +**Prerequisite:** Please be sure to follow the steps in [Permissions and Tooling](05-Permissions-Tooling.md) to ensure latest tools are installed and the right permissions levels are available. + +## Deployment Steps + +1. Open PowerShell. +1. In your version of the GitHub repository, navigate to `/orchestration/scripts`. +1. Run the `New-SovereignLandingZone.ps1` deployment script. + - *Note: Must be in the scripts folder to run successfully.* +1. Follow the prompts to complete your deployment. + - *Note: Enter `all` for a new deployment or run as `.\New-SovereignLandingZone.ps1 -parDeployment all`.* + - See the [pipeline deployment](scenarios/Pipeline-Deployments.md) doc for more information about alternate deployment methods and the `New-SovereignLandingZone.ps1` script parameters. +1. Confirm deployment completion by navigating to the Azure Portal Dashboard link provided in the output. + +Please reference [Frequently Asked Questions](12-FAQ.md) for commons errors and resolutions, or reference [Deployment Scenarios](scenarios/README.md) for common operations. + +## Next step + +[Deploy Customize Policies](09-Customize-Policies.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/09-Customize-Policies.md b/docs/09-Customize-Policies.md new file mode 100644 index 00000000..a9fd9994 --- /dev/null +++ b/docs/09-Customize-Policies.md @@ -0,0 +1,15 @@ +# Customize and configure policies + +A default installation of the SLZ Preview will come with the Sovereignty Policy Baseline deployed with a `Deny` effect and all the ALZ Polices assigned. However, it is common for organizations to customize and configure policies further to meet their governance requirements. Details on how to achieve this can be found in one of the following areas: + +1. Review the [Sovereignty Policy Baseline](scenarios/Sovereignty-Policy-Baseline.md) page for more details about configuring the baseline. +2. Review the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) page and links within that page for more details about policy governance within the landing zone, and review the [Microsoft Cloud Security Benchmark](https://aka.ms/azsecbm) documentation for details about best security practices. + * The Microsoft Cloud Security Benchmark are part of the ALZ Policy initiatives. +3. Review the [Policy Portfolio](scenarios/Using-Policy-Portfolio.md) page for more details about using one of the initiatives within the portfolio or how any built-in policy initiatives can be used. +4. Review the [Custom Policies](scenarios/Custom-Policies.md) page for more details about deploying other organization-specific custom policies. + +## Next step + +[View your compliance dashboard.](10-Compliance-Dashboard.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/10-Compliance-Dashboard.md b/docs/10-Compliance-Dashboard.md new file mode 100644 index 00000000..05a41f69 --- /dev/null +++ b/docs/10-Compliance-Dashboard.md @@ -0,0 +1,37 @@ +# Compliance Dashboard + +## Overview + +[Sovereign Landing Zone Preview Compliance Dashboard](https://portal.azure.com/#dashboard) provides customers with a singular page that aggregates various Azure policy compliance views and queries to show an overview of their resource compliance. Customers can get insight into this resource-level compliance against the baseline policies deployed with the SLZ Preview as well as additional custom compliance that has been deployed. + +The [Sovereign Landing Zone Preview Compliance Dashboard](https://portal.azure.com/#dashboard) can be accessed in the Shared Dashboards section of the Azure Portal. The naming convention follows the pattern `${parDeploymentPrefix}-Sovereign-Landing-Zone-Dashboard-Preview-${parDeploymentLocation}`, utilizing the parameters provided during deployment. + +## Dashboard Tiles + +The compliance dashboard is customizable and [can be extended](scenarios/Extending-Compliance-Dashboard.md) as needed. The tiles that are deployed as part of the baseline SLZ Preview are described below. Note that resources deployed within the portal may create multiple internal resources or components that are tracked separately by the compliance score. This notion is shared across all tiles, so the total count numbers displayed for compliance may be different from the total resource count number. + +| Key | Tiles | Description | +|-----|--------|-------------| +| 1 | Overall resources compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with all policies applied within the SLZ Preview. This calculation is also inclusive of the policies and initiatives assigned by the customer. | +| 2 | Overall data residency compliance score | Indicates the number of resources in the SLZ Preview top-level management group that are compliant with data residency policies applied within the SLZ Preview. | +| 3 | Overall confidential compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with encryption policies meant to keep data confidential and encrypted from Microsoft as the cloud operator. Note that resources of a valid SKU do not contribute to the total resource count by design: [Update in Policy Compliance for Resource Type Policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/) | +| 4 | Resources by compliance state | Number of resources that are in each compliance state as evaluated by Azure Policy. | +| 5 | Resource compliance percentage by subscription | Resource compliance percentage for each subscription that has applicable resources under it. This count also includes compliance reports for resource group and subscription compliance. | +| 6 | Resource compliance percentage per policy initiative | Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance. | +| 7 | Resource compliance percentage per policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. | +| 8 | Non-Compliant and Exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | +| 9 | Non-Compliant resources by location | Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy. | +| 10| Resource exemptions | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | +| 11 | Resources outside of safe regions | All non-compliant resources and their location with enough detail to act. The tile will show resources that are in locations which are exempted under the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy and there’s an exemption created for those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | +| 12 | Resource compliance score for encryption at rest policy group | Percentage of resources that are compliant with the encryption at rest policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | +| 13 | Resource compliance score for encryption in transit policy group | Percentage of resources that are compliant with the data transit encryption policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | +| 14 | Resource compliance score for confidential computing policy group | Percentage of resources that are compliant with the confidential computing policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. | +| 15 | Confidential resource exemptions | Shows the resources that have been made exempt from confidential policies with enough detail to act. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. Resources within the Confidential Corp and Confidential Online Management Groups are *NOT* expected to be exempt from the Allowed locations listed here as this tile shows the exemptions of the SlzConfidentialPolicies initiative. | + +![DashboardMarkup](images/github_compliance-dashboard.png) + +## Next step + +[Conclusion](11-Conclusion.md) + +## [Preview Notice](./PREVIEW.md) diff --git a/docs/11-Conclusion.md b/docs/11-Conclusion.md new file mode 100644 index 00000000..9569c73d --- /dev/null +++ b/docs/11-Conclusion.md @@ -0,0 +1,11 @@ +# Completed Deployment + +## Congratulations + +You have successfully deployed the Sovereign Landing Zone Preview. + +You can now improve upon on your [compliance policies](09-Customize-Policies.md) as needed and view the results in your [dashboard](10-Compliance-Dashboard.md). View how to [deploy platform or application landing zones](scenarios/Landing-Zone-Vending.md) to host your workloads within the SLZ Preview for common next steps. + +Visit our [Frequently Asked Questions](12-FAQ.md) page for common queries or [Scenarios](scenarios/README.md) for common post-deployment operations. Log a [GitHub Issue](https://github.com/Azure/sovereign-landing-zone/issues) for any problems you are encountering getting started with or managing your SLZ Preview deployment. + +## [Preview Notice](./PREVIEW.md) diff --git a/docs/12-FAQ.md b/docs/12-FAQ.md new file mode 100644 index 00000000..d01422f6 --- /dev/null +++ b/docs/12-FAQ.md @@ -0,0 +1,224 @@ +# Sovereign Landing Zone Preview - Frequently Asked Questions + +This document answers the most common questions related to the Sovereign Landing Zone Preview deployment and modules. + +To report issues or get support, please submit a ticket through [GitHub Issues](https://github.com/Azure/sovereign-landing-zone/issues) or review the [troubleshooting docs](./13-Troubleshooting.md). + +## Sovereign Landing Zone Preview + +### Why use Bicep over Terraform? + +There are a wide variety of deployment technologies available for customers to choose from and Terraform is commonly used to simplify operations especially for organizations that are multi-cloud. Bicep was selected as the first deployment technology to use for the SLZ Preview, and we will endeavor to support additional languages based upon customer need. Submit a [feature request](https://github.com/Azure/sovereign-landing-zone/issues) to let us know which ones are important for you! + +### Is SLZ Preview an Application / Workload? + +The SLZ Preview is not an application, but rather simplifies the process for deploying or migrating an application to Azure. For more details about landing zones and how they support Azure adoption, review the [Cloud Adoption Framework](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) docs on this subject. + +## Permissions and Tooling + +### How do I create an enrollment ID? + +The specific steps vary depending on the Azure Account type you are using. For more information visit the [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription), which describes everything required to create subscriptions for each Azure Account type. + +### Why do I need elevated permissions to deploy the Sovereign Landing Zone Preview? + +**Note** the reduced permission set listed below is pending completion this feature. Documentation is being left as-is to show the current direction. When the feature is finished, this note will be removed and it will be listed in the release notes. For the time being, Global Administrator with elevated Azure permissions are required. + +This permission is no longer needed, but can be useful for organizations that are getting started with Azure. For more details about permissions review the docs on the [current recommended permissions](./05-Permissions-Tooling.md) or [reduced permission sets required](./scenarios/Piloting-SLZ.md). + +### Why do I get an error when I try to login using `az login` about no subscriptions? + +To login to a tenant where no subscriptions exist, please use this command: `az login --allow-no-subscriptions`. + +### Why do I get 'User Permission Check Failed' error? + +Elevating permissions is no longer required, but it may be useful for organizations that are getting started with Azure. For more details about permissions review the docs on the [current recommended permissions](./05-Permissions-Tooling.md) or [reduced permission sets required](./scenarios/Piloting-SLZ.md). + +If elevating permissions is the preferred route for your organization, you may get an error such as: + +![AccessError](images/deployerror-vscode.png) + +Navigate to the Azure Active Directory Properties screen and ensure `Access management for Azure resources` is set to `Yes`. + +![AzurePermissions](images/access-permissions.png) + +### Why am I still getting an error about permissions even after my permissions have been elevated? + +If you are using Azure CLI, you may need to logout using `az logout` and reconnect. If you are still having issues, please contact your Global Administrator or log an [Issue](https://github.com/Azure/sovereign-landing-zone/issues). + +### Why am I unable to connect to Azure or run az commands? + +You may not have the latest versions of Azure CLI and Bicep installed. Confirm that you are on the latest version of both and try connecting again. +Check [Permissions and Tooling](/docs/05-Permissions-Tooling.md) for more information. + +### Why are the scripts using the wrong user? + +For individuals that have multiple accounts, it may happen that an unexpected account is currently active causing the SLZ Preview to use it for deployments. This can be resolved by running `Disconnect-AzAccount` in PowerShell to logout, then running `Connect-AzAccount` to log back in with the right account. + +## Deploying the Sovereign Landing Zone Preview + +### Why did my deployment pause in PowerShell? + +This could be due to a left mouse click in the PowerShell window, causing the window to enter a text selection mode. Pressing Enter will restart the deployment. + +### Why is the script retrying and failing even after I have confirmed that I have the right permissions? + +It may take several hours for billing permissions required to setup or use a billing scope to go into effect, during which point the SLZ Preview will not be deployable. Please run the `Confirm-SovereignLandingZonePrerequisites.ps1` script, and wait around 4 hours before retrying the deployment. + +### When running the deployment script, I get a "DeploymentFailed" error with the description "The aggregated deployment error is too large. Please list deployment operations to get the deployment details. Please see `https://aka.ms/DeployOperations` for usage details." How do I fix this?** + +Please re-try running the script to fix this error. Log an Issue if the problem persists. + +### Why am I getting a "deployment already exists" error? + +This commonly because a previous SLZ preview deployment shared the same prefix and suffix. You'll need to clean up the old deployment if you want to reuse the prefix and suffix set. + +This can be accomplished by running the `Remove-AzDeployment` command in PowerShell. For Azure CLI, use the `az deployment tenant delete -n ` or `az deployment mg delete -management-group-id --name` commands. + +*Please be aware and careful when using the delete command. Any resources and workloads that were migrated will also be deleted.* + +### Why am I getting a "Subscription Alias Already Exist" error? + +This commonly because a previous SLZ preview deployment shared the same prefix and suffix. See the `Why am I getting a "deployment already exists" error?` FAQ for resolution steps. + +### I am getting a 'ReferencedResourceNotProvisioned' error. How do I resolve this? + +If you encounter this error, it is likely due to a transient issue with resource availability. The SLZ Preview deployment script has retry logic to resolve these types of issues, but it may be necessary to rerun the SLZ Preview deployment script if the script terminates. + +If it is a viable option, you can attempt deployment to a different region. + +### Why am I getting a deployment failure when attempting to deploy the platform? + +This error is likely to occur if the subscriptions being created in the Bootstrap step are not yet active. Wait 30 minutes and try again. If the problem persists, please log an [Issue](https://github.com/Azure/sovereign-landing-zone/issues). + + { + "status": "Failed", + "error": { + "code": "DeploymentFailed", + "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.", + } + +### What are the allowed Azure resource types for confidential management groups (Confidential Corp and Confidential Online)? + +For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ Preview can be found [here](../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json), and the list can be customized to meet an organization's needs. + +### What information should I consider removing from my failed deployment details logs? + +Under `/modules/util/Get-FailedDeploymentDetails.ps1` is a PowerShell script that aids in generating the logs for the failed deployments. Execute this script to share the deployment error logs with Microsoft for troubleshooting. + +This script may capture some information that you should consider removing before sending to Microsoft based on the parameters provided. Below we explain where this information can be surfaced so that you know what text from the JSON file you can consider removing before sending to Microsoft. + + **tenantlogs.json considerations** + +In the generated `tenantlogs.json` consider the following. If you enter your name, like `ABC`, as a deployment prefix, your name may appear in a few areas of the log file: + +* In any `targetResource.id` you may see the following `"id": "/providers/Microsoft.Subscription/aliases/ABC-identity"`. +* In `targetResource.resourceName` you may see the following `"resourceName": "ABC-identity"`, for example. + + **managementgrouplogs.json considerations** + +In the generated `managementgrouplogs.json` consider the following. If you enter your company name, like `xbox`, as a deployment prefix, the company name may appear in a few areas of the log file: + +* In any `targetResource.id` you may see the following `"id": "/subscriptions/aec8ebac-dc86-4012-b19a-b4fdea23e635/resourceGroups/rg-xbox-hub-network-eastus/providers/Microsoft.Resources/deployments/xbox-deploy-Hub-Network-20221104T205002Z"` +* In any `targetResource.resourceName` you may see the following `"resourceName": "xbox-deploy-Hub-Network-20221104T205002Z"` +* In any `targetResource.resourceGroup` you may see the following `"resourceGroup": "rg-xbox-hub-network-eastus"`. + +Also consider the information stored in the `properties.statusMessage.message` as this may contain information on the prefix used. + +### I am getting an error that says "Unable to edit or replace deployment..." What should I do? + +This error indicates that there is an active deployment in progress while an attempt is being made to start the same deployment again. Wait for the deployment to complete and then run the deployment again, if required. + +### I am getting a different deployment error. Where can I find more information? + +Please reference the Microsoft Learn document that addresses [common Azure deployment errors](https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/common-deployment-errors). + +### Why am I getting an error message stating `Account already exists in another resourcegroup in a subscription` + +This commonly happens with Private Preview customers attempting to upgrade to the Public Preview version. For more details look at our [upgrade documentation](./06-Upgrade-Existing-SLZ-Preview.md). + +### Why do I keep getting an error message stating creating the deployment will exceed the quota of '800'? + +In most cases this will be automatically resolved in 1-2 hours. Azure will keep a deployment history up to the most recent 800 deployments and by default it will automatically prune this history down to the most recent 600 deployments. However, if multiple deployments are being made in rapid succession, it's possible to hit the max history of 800 before automatic systems can remove older deployments. + +More details can be found at [https://aka.ms/800LimitFix](https://aka.ms/800LimitFix) + +While it's recommended to wait for Azure to automatically clean up the deployment history, some users may need an immediate fix. Below is a reference script that can be used to resolve the issue. It is necessary for users to review this script to ensure it's only deleting the relevant deployment history as this action is not reversible. + +``` + #EXAMPLE SCRIPT ONLY, USER-SPECIFIC MODIFICATIONS REQUIRED + + #provide deployment prefix and suffix for which deployment history needs to be deleted + $parDeploymentPrefix = "" + $parTopLevelManagementGroupSuffix = "" + + #fetch all management groups + $varManagementGroupId = "$parDeploymentPrefix$parTopLevelManagementGroupSuffix" + $response = Get-AzManagementGroup -GroupName $varManagementGroupId -Expand -Recurse + $managementGroups = @($varManagementGroupId) + + foreach ($children in $response.Children) { + $managementGroups += $children.Name; + if($children.Count -gt 0) { + for ($i=0; $i -le $children.Count; $i++) { + $managementGroups += $children[$i].Children.Name + } + } + } + + #fetch all subscriptions under the managementGroups + $subscriptions = @() + foreach($mg in $managementGroups ) { + if($mg) { + $subscriptions += Get-AzManagementGroupSubscription -GroupName $mg + } + } + + #fetch resourcegroups under the subscriptions and for each resource groups get the deployments name and delete the corresponding deployment from deployment history + $subscriptions | ForEach-Object { + Set-AzContext -SubscriptionName $_.DisplayName + Get-AzResourceGroup | ForEach-Object { + $deployments = Get-AzResourceGroupDeployment -ResourceGroupName $_.ResourceGroupName + foreach ($deployment in $deployments) { + Remove-AzResourceGroupDeployment -ResourceGroupName $_.ResourceGroupName -Name $deployment.DeploymentName + } + } + } +``` + +### Can I Use a Managed Identity / Service Principal to Deploy the SLZ Preview? + +Yes, provided this identity has been successfully authenticated prior to initiating the deployment such as through an `az login` command. The `New-SovereignLandingZone.ps1` script has two relevant CLI parameters that should be used: + +* *parDeployment*: Default `null`. This parameter specifies the deployment type so it doesn't need to be typed in manually. +* *parAttendedLogin*: Default `$true`. This parameter tells the script to perform various login and validation steps that are not necessary when using a managed identity. + +A managed identity with appropriate permissions and running in a context with all necessary modules installed can deploy the SLZ Preview through a command such as this: + +``` +.\New-SovereignLandingZone.ps1 -parDeployment all -parAttendedLogin $false +``` + +Reference our [pipeline deployments](./scenarios/Pipeline-Deployments.md) document for additional details. + +### Can I Choose which Parameter File to Use? + +Yes, for many organizations with multiple SLZ Preview deployments it is advisable to minimize operational activities by creating a new parameter file for each SLZ Preview deployment. The `New-SovereignLandingZone.ps1` script has one relevant CLI parameter that should be used: + +* *parParametersFilePath*: Default `.\parameters\sovereignLandingZone.parameters.json`. This is the relative path from the `New-SovereignLandingZone.ps1` script to the parameter file. + +An organization with multiple SLZ Preview deployments each with a unique parameter file in the local parameters directory can manage a new deployment through a command such as this: + +``` +.\New-SovereignLandingZone.ps1 -parParametersFilePath .\parameters\testSLZ.parameters.json +``` + +Reference our [pipeline deployments](./scenarios/Pipeline-Deployments.md) document for additional details. + +## Compliance Dashboard + +### How can I give 'read only' access to a user in my organization to the dashboard? + +You will need to assign an Azure `Reader` role the user at the top-level management group scope. Please follow instructions here on how to add an Azure role: [Azure Role Based Access Control](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal) + +## [Preview Notice](./PREVIEW.md) diff --git a/docs/13-Troubleshooting.md b/docs/13-Troubleshooting.md new file mode 100644 index 00000000..31d97cdd --- /dev/null +++ b/docs/13-Troubleshooting.md @@ -0,0 +1,61 @@ +# Troubleshooting + +If you are running into issues with your SLZ Preview deployment, review the common troubleshooting topic here or common questions in the [FAQ](./12-FAQ.md). If neither of these resolve your issue, please reach out for assistance through your standard support process or file a [GitHub issue](https://github.com/Azure/sovereign-landing-zone/issues) with us. + +## Determining Deployment Steps + +When a user creates or updates the SLZ Preview, they will execute the `/orchestration/scripts/New-SovereignLandingZone.ps1` script. This script has a required `parDeployment` parameter, but it will also prompt the user to select if not provided. Review the [deployment overview](./03-Deployment-Overview.md) doc for more information about deployment steps. + +Any time the user should be informed of a specific log, that log will start with `>>>` including when a deployment step is beginning or ending. When an error occurs, the current deployment step will be the last deployment step printed in the logs. The screenshot below shows an example for the bootstrap deployment step. + +![SLZ Preview Deployment Step in Logs](images/ViewDeploymentStep.png) + +## Determining Error from the Error Message + +When an error occurs, the error message will most often be presented in a human readable format in red text, with the relevant details being contained within the `Status Message` field as seen below or in a generic `Message` field. + +![SLZ Preview Erro in Logs](images/ViewErrorFromLog.png) + +## Bootstrap Errors + +### User is not authorized to create subscriptions on this enrollment account. + +This error means that the SLZ Preview parameter `parSubscriptionBillingScope` value is not valid. Refer to the [permissions setup](./05-Permissions-Tooling.md) doc for more details about the permissions required for your Azure Agreement type. + +Once a valid value is provided, rerun the SLZ Preview deployment. + +### The provided location [LOCATION] is not available for deployment. + +This error means that the SLZ Preview parameter `parDeploymentLocation` value is referring to a region that the user does not have permissions to use. This is commonly the case when there is a typo in this value. + +Once a valid value is provided, rerun the SLZ Preview deployment. + +### Invalid deployment location [LOCATION]. The deployment [DEPLOYMENT NAME] already exists in location [OTHER LOCATION]. + +This error commonly means that the `parDeploymentLocation` value has been changed when trying to update an existing SLZ Preview deployment, or that the `parDeploymentPrefix` and `parDeploymentSuffix` value pair is already being used by an existing SLZ Preview deployment. + +If you are attempting to move the SLZ Preview deployment, you will need to instead create a new SLZ Preview deployment with a unique `parDeploymentPrefix` and `parDeploymentSuffix` value pair as Azure resources in general cannot be moved. + +If an existing SLZ Preview deployment is already using the `parDeploymentPrefix` and `parDeploymentSuffix` value pair, you will need to select a new value for one or both of those parameters. Once a valid set of values are provided, rerun the SLZ Preview deployment. + +## Platform Errors + +### [Subnet] has an invalid CIDR notation. + +This error commonly occurs when the subnet CIDR range for one of the subnets is outside the hub VNET CIDR range. You will need to review the `parHubNetworkAddressPrefix`, `parAzureBastionSubnet`, `parGatewaySubnet`, `parAzureFirewallSubnet`, and `parCustomSubnets` parameters to ensure there are no overlaps and all subnet ranges are within the hub VNET CIDR range. + +Once valid values are provided for the hub VNET and subnets, rerun the SLZ Preview deployment. + +### Resource [LOG ANALYTICS WORKSPACE RESOURCE OR SOLUTION ID] was disallowed by policy. + +This error means that the SLZ Global Defaults policy assignment has been configured to block the `parDeploymentLocation`. This commonly occurs when trying to update an existing SLZ Preview deployment. You will need to review the `parAllowedLocations` array to ensure it contains the `parDeploymentLocation` value. + +Once a valid value is provided, run the SLZ Preview compliance deployment step to update the policy assignment, then rerun the SLZ Preview deployment. This error is related to the other ones where policy is blocking the resource. + +## Dashboard Errors + +### Resource [DASHBOARD RESOURCE GROUP NAME] was disallowed by policy. + +This error means that the SLZ Global Defaults policy assignment has been configured to block the `parDeploymentLocation`. This commonly occurs when trying to create a new SLZ Preview deployment. You will need to review the `parAllowedLocations` array to ensure it contains the `parDeploymentLocation` value. + +Once a valid value is provided, run the SLZ Preview compliance deployment step to update the policy assignment, then rerun the SLZ Preview deployment. This error is related to the other ones where policy is blocking the resource. diff --git a/docs/PREVIEW.md b/docs/PREVIEW.md new file mode 100644 index 00000000..a0faa1f5 --- /dev/null +++ b/docs/PREVIEW.md @@ -0,0 +1,3 @@ +# Preview Notice + +**Preview Terms**. The Sovereign Landing Zone Preview (the "PREVIEW") is licensed to you as part of your [Azure subscription](https://azure.microsoft.com/en-us/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability. diff --git a/docs/images/LightHouseTenantID.png b/docs/images/LightHouseTenantID.png new file mode 100644 index 00000000..09d85775 Binary files /dev/null and b/docs/images/LightHouseTenantID.png differ diff --git a/docs/images/LighthouseSubscriptionID.png b/docs/images/LighthouseSubscriptionID.png new file mode 100644 index 00000000..4a0b3d98 Binary files /dev/null and b/docs/images/LighthouseSubscriptionID.png differ diff --git a/docs/images/Upgrade-ComplianceDetails.png b/docs/images/Upgrade-ComplianceDetails.png new file mode 100644 index 00000000..b3bfb050 Binary files /dev/null and b/docs/images/Upgrade-ComplianceDetails.png differ diff --git a/docs/images/Upgrade-ManagementGroup.png b/docs/images/Upgrade-ManagementGroup.png new file mode 100644 index 00000000..b6c14757 Binary files /dev/null and b/docs/images/Upgrade-ManagementGroup.png differ diff --git a/docs/images/Upgrade-ManagementGroupDetail.png b/docs/images/Upgrade-ManagementGroupDetail.png new file mode 100644 index 00000000..c2d64247 Binary files /dev/null and b/docs/images/Upgrade-ManagementGroupDetail.png differ diff --git a/docs/images/Upgrade-PolicyAssignmentDelete.png b/docs/images/Upgrade-PolicyAssignmentDelete.png new file mode 100644 index 00000000..d5f5d61a Binary files /dev/null and b/docs/images/Upgrade-PolicyAssignmentDelete.png differ diff --git a/docs/images/Upgrade-PolicyAssignmentFilter.png b/docs/images/Upgrade-PolicyAssignmentFilter.png new file mode 100644 index 00000000..713cd0d6 Binary files /dev/null and b/docs/images/Upgrade-PolicyAssignmentFilter.png differ diff --git a/docs/images/Upgrade-PolicyAssignmentScope.png b/docs/images/Upgrade-PolicyAssignmentScope.png new file mode 100644 index 00000000..e0ec41b9 Binary files /dev/null and b/docs/images/Upgrade-PolicyAssignmentScope.png differ diff --git a/docs/images/Upgrade-PolicyAssignmentsBlade.png b/docs/images/Upgrade-PolicyAssignmentsBlade.png new file mode 100644 index 00000000..86bd94c6 Binary files /dev/null and b/docs/images/Upgrade-PolicyAssignmentsBlade.png differ diff --git a/docs/images/Upgrade-PolicyDefinitionFilter.png b/docs/images/Upgrade-PolicyDefinitionFilter.png new file mode 100644 index 00000000..465b556b Binary files /dev/null and b/docs/images/Upgrade-PolicyDefinitionFilter.png differ diff --git a/docs/images/Upgrade-PolicyDefinitionFilterDelete.png b/docs/images/Upgrade-PolicyDefinitionFilterDelete.png new file mode 100644 index 00000000..3e8ece73 Binary files /dev/null and b/docs/images/Upgrade-PolicyDefinitionFilterDelete.png differ diff --git a/docs/images/Upgrade-PolicyDefinitionList.png b/docs/images/Upgrade-PolicyDefinitionList.png new file mode 100644 index 00000000..625f682c Binary files /dev/null and b/docs/images/Upgrade-PolicyDefinitionList.png differ diff --git a/docs/images/ViewDeploymentStep.png b/docs/images/ViewDeploymentStep.png new file mode 100644 index 00000000..10d4af38 Binary files /dev/null and b/docs/images/ViewDeploymentStep.png differ diff --git a/docs/images/ViewErrorFromLog.png b/docs/images/ViewErrorFromLog.png new file mode 100644 index 00000000..58acc569 Binary files /dev/null and b/docs/images/ViewErrorFromLog.png differ diff --git a/docs/images/access-permissions.png b/docs/images/access-permissions.png new file mode 100644 index 00000000..28c4c99d Binary files /dev/null and b/docs/images/access-permissions.png differ diff --git a/docs/images/accessmanagementpermissions.png b/docs/images/accessmanagementpermissions.png new file mode 100644 index 00000000..964cbe3e Binary files /dev/null and b/docs/images/accessmanagementpermissions.png differ diff --git a/docs/images/alz-update-initiative-with-builtin-01.png b/docs/images/alz-update-initiative-with-builtin-01.png new file mode 100644 index 00000000..63ba11a7 Binary files /dev/null and b/docs/images/alz-update-initiative-with-builtin-01.png differ diff --git a/docs/images/alz-update-initiative-with-builtin-04.png b/docs/images/alz-update-initiative-with-builtin-04.png new file mode 100644 index 00000000..bb3a3196 Binary files /dev/null and b/docs/images/alz-update-initiative-with-builtin-04.png differ diff --git a/docs/images/custom-policies-folder.png b/docs/images/custom-policies-folder.png new file mode 100644 index 00000000..c49de9fc Binary files /dev/null and b/docs/images/custom-policies-folder.png differ diff --git a/docs/images/deployerror-vscode.png b/docs/images/deployerror-vscode.png new file mode 100644 index 00000000..c218b786 Binary files /dev/null and b/docs/images/deployerror-vscode.png differ diff --git a/docs/images/downloadzipofrepo.png b/docs/images/downloadzipofrepo.png new file mode 100644 index 00000000..87abbff1 Binary files /dev/null and b/docs/images/downloadzipofrepo.png differ diff --git a/docs/images/empty-custom-policies.png b/docs/images/empty-custom-policies.png new file mode 100644 index 00000000..d9d2310e Binary files /dev/null and b/docs/images/empty-custom-policies.png differ diff --git a/docs/images/forkgithubrepo.png b/docs/images/forkgithubrepo.png new file mode 100644 index 00000000..19b31fdb Binary files /dev/null and b/docs/images/forkgithubrepo.png differ diff --git a/docs/images/github_compliance-dashboard.png b/docs/images/github_compliance-dashboard.png new file mode 100644 index 00000000..bbf38b83 Binary files /dev/null and b/docs/images/github_compliance-dashboard.png differ diff --git a/docs/images/parBillingAccountID.png b/docs/images/parBillingAccountID.png new file mode 100644 index 00000000..4754819c Binary files /dev/null and b/docs/images/parBillingAccountID.png differ diff --git a/docs/images/parEnrollmentID.png b/docs/images/parEnrollmentID.png new file mode 100644 index 00000000..f9aa51e8 Binary files /dev/null and b/docs/images/parEnrollmentID.png differ diff --git a/docs/images/sovereign-scale-architecture.png b/docs/images/sovereign-scale-architecture.png new file mode 100644 index 00000000..e8902f74 Binary files /dev/null and b/docs/images/sovereign-scale-architecture.png differ diff --git a/docs/scenarios/Custom-Policies.md b/docs/scenarios/Custom-Policies.md new file mode 100644 index 00000000..3f9fd431 --- /dev/null +++ b/docs/scenarios/Custom-Policies.md @@ -0,0 +1,43 @@ +# Customize baseline policies + +Once the SLZ Preview is deployed, the management group structure, subscriptions, and the [sovereignty policy baseline](Sovereignty-Policy-Baseline.md) will be in place. While the baseline can be configured, it may be necessary to apply additional policies to address local laws and regulations. Review the [Microsoft Cloud for Sovereignty Policy Portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) for policies that support specific regulations, or follow the below steps to deploy your own policies alongside the SLZ Preview. + +## Customization step by step + +The SLZ Preview allows for custom policy initiatives to be deployed within the standard management group scopes for each deployment through the following: + +1. Navigate to the custom policy definitions located in `/custom/policies/definitions` in your version of the GitHub repository. +2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy ![Custom Policy Folder](../images/custom-policies-folder.png) + * `slzConfidentialCustom.json` -> Confidential Corp and Confidential Online Management Groups + * `slzConnectivityCustom.json` -> Connectivity Management Group + * `slzCorpCustom.json` -> Corp and Confidential Corp Management Groups + * `slzDecommissionedCustom.json` -> Decommissioned Management Group + * `slzGlobalCustom.json` -> The Top-Level Management Group + * `slzIdentityCustom.json` -> Identity Management Group + * `slzLandingZoneCustom.json` -> Landing Zones Management Group + * `slzManagementCustom.json` -> Management Management Group + * `slzOnlineCustom.json` -> Online and Confidential Online Management Groups + * `slzPlatformCustom.json` -> Platform Management Group + * `slzSandboxCustom.json` -> Sandbox Management Group +3. Select the file for management group scope that you want custom policies to apply to and if you want to apply custom policies to all application workloads then select `slzLandingZoneCustom.json` +4. If custom policies have not been added yet, then the custom policy file will look like the screenshot below. Do NOT edit the `policyType`, `id`, `type`, or `name` fields. You will update the `parameters`, `policyDefinitions`, and `policyDefinitionGroups` as described by the [initiative definition structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure) +![Empty Policy File](../images/empty-custom-policies.png) +5. Grouping policies together on the [SLZ Preview dashboard](./Extending-Compliance-Dashboard.md) is accomplished by adding `dashboard-` to the beginning of the policy definition group name, but any name can be used. The documentation for the [policy set definition group structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure#policy-definition-groups) describes the group structure further. A valid policy definition group can be found below: +``` + { + "name": "dashboard-NIST_SP_800-171_R2", + "category": "Regulatory Compliance", + "description": "NIST 800-171 rev2" + } +``` +6. Passing values to the custom policy definitions is not currently supported. You can set default values in the definition file or in the assignment file (located in the `/custom/policies/assignments` folder) but you cannot pass in values from the orchestration script at this time. Documentation on the assignment structure and how to set parameters is located [here](https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure) +7. Once you have added the custom policies to the policy set file, you only need to save the file and run `.\New-SovereignLandingZone.ps1` with either the `all`, or `compliance` deployment step and your custom policies will be added and assigned to the appropriate management group scopes. +8. If you need to change a policy effect, you will need to make that change to the above definitions and redeploy the SLZ Preview as above. For documentation on how to set a policy effect please review the documentation [here](https://learn.microsoft.com/azure/governance/policy/concepts/effects) + +**Note** Custom policies will need to fit with the [Azure policy and policy rule limits](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-policy-limits) otherwise Azure will not create the definitions. + +## Next step + +[View your compliance dashboard.](../10-Compliance-Dashboard.md) + +### [Preview Notice](./PREVIEW.md) diff --git a/docs/scenarios/Expanding-SLZ-ManagementGroups.md b/docs/scenarios/Expanding-SLZ-ManagementGroups.md new file mode 100644 index 00000000..8defc5ae --- /dev/null +++ b/docs/scenarios/Expanding-SLZ-ManagementGroups.md @@ -0,0 +1,21 @@ +# Adding New Management Group Scopes to the SLZ Preview + +The SLZ Preview deploys a standard set of management groups that are used to organize resources and manage policy assignments. This set also has the following recommended usage patterns: + +1. [Connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure) - Used to host platform workloads that provide core networking capabilities +2. [Identity](https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/identity/) - Used to host platform workloads that provide identity management, access, and syncing capabilities +3. [Management](https://learn.microsoft.com/azure/cloud-adoption-framework/manage/monitor/) - Used to host platform workloads that provide core monitoring and alerting capabilities +4. Corp - Used to host application workloads that do not need to be accessed from the public internet + * Public internet access restriction is provided by enabling the ALZ Policies +5. Confidential Corp - Used to host application workloads that do not need to be accessed from the public internet but require use of confidential computing + * Public internet access restriction is provided by enabling the ALZ Policies +6. Online - Used to host application workloads that do need to be accessed from the public internet +7. Confidential Online - Used to host application workloads that do need to be accessed from the public internet but require use of confidential computing +8. [Sandbox](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/sandbox-environments) - Used to host isolated environments for testing workloads and capabilities +9. [Decommissioned](https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/migration-considerations/optimize/decommission) - Used to host workloads or capabilities that are retired, but still need to be retained + +The policy assignments will provide guardrails designed to support these usage patterns with the [Sovereignty Policy Baseline](./Sovereignty-Policy-Baseline.md) enforcing confidential computing SKUs and if enabled the [ALZ policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) focus on security best practices. + +As organizations use the SLZ Preview they may find it useful refine their management group structure to group workloads further or under different contexts. This can be achieved by using the `parLandingZoneMgChildren` parameter value to create more sibling management groups to the Corp, Online, and Confidential variants. + +Note that custom management groups will need to manage policy assignments to them as post-deployment steps. Further developments will improve upon this customization experience. diff --git a/docs/scenarios/Extending-Compliance-Dashboard.md b/docs/scenarios/Extending-Compliance-Dashboard.md new file mode 100644 index 00000000..58582bc8 --- /dev/null +++ b/docs/scenarios/Extending-Compliance-Dashboard.md @@ -0,0 +1,21 @@ +# Extending the Compliance Dashboard + +The SLZ Preview [Compliance Dashboard](../10-Compliance-Dashboard.md) provides a singular Azure policy compliance view for every resource within the SLZ Preview deployment. While this is a great starting point for viewing the default and built-in policies assigned with the SLZ Preview, many governance teams want to also see their own policies in the same view. This can be achieved through a few ways. + +## Overall and Subscription Compliance Views + +For the most part, no customization needs to be done for the overall or subscription views as these queries will search for assignment and compliance results for every resource and subscription under the top-level management group so any additional policies will be picked up natively. + +## Data Residency Views + +The data residency views are created by filtering by compliance results for policies under initiatives in the `dashboard-data residency` group. Custom policy assignments can populate these views by creating the group name `dashboard-data residency` in the custom initiative and grouping relevant policies into it. + +## Confidential Computing Views + +The confidential computing views are created by filtering by compliance results for policies under initiatives in one of the following groups: `dashboard-storage security`, `dashboard-transport security`, `dashboard-confidential computing`, or `dashboard-key management`. Custom policy assignments can populate these views by creating one or more of the above group names in the custom initiative and grouping relevant policies into it. + +## Custom Tiles + +When one of the above methods is not sufficient, additional tiles can be added to the SLZ Preview Compliance Dashboard by adding these to the [tiles JSON](../../custom/dashboard/compliance/tiles.json) file. This JSON file takes [Azure Portal Dashboard](https://learn.microsoft.com/azure/azure-portal/azure-portal-dashboards) tiles and will append them to the compliance dashboard. + +Worth noting that the `position.y` value for tile elements will need to be lower than the y-values already used by the compliance dashboard otherwise tile elements could be missing or moved. Checkout the [tiles sample](../../custom/dashboard/compliance/tiles-sample.json) for an example of this extension. diff --git a/docs/scenarios/Landing-Zone-Vending.md b/docs/scenarios/Landing-Zone-Vending.md new file mode 100644 index 00000000..19c88c83 --- /dev/null +++ b/docs/scenarios/Landing-Zone-Vending.md @@ -0,0 +1,55 @@ +# Workload Landing Zones + +After the SLZ Preview has been deployed, organizations can begin using it to host workloads. Workloads will need their own landing zones, and for more details about the types of landing zones review the [what is a landing zone](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#platform-landing-zones-vs-application-landing-zones) documentation. + +In short, the landing zone as deployed by the SLZ Preview provides the governance framework and controls that can simplify the onboarding of workload landing zones within it's management group structure. This means workload landing zones don't need to recreate common infrastructure such as a hub network as they may use the one that already exists, nor do they need to manage policy assignments as they'll inherent the ones already assigned. + +Workload landing zones require the creation of a subscription and placing it within the management group structure. While you may [customize the management groups](Expanding-SLZ-ManagementGroups.md) available, the following exist by default: + +1. [Connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure) - Used to host platform workloads that provide core networking capabilities +2. [Identity](https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/identity/) - Used to host platform workloads that provide identity management, access, and syncing capabilities +3. [Management](https://learn.microsoft.com/azure/cloud-adoption-framework/manage/monitor/) - Used to host platform workloads that provide core monitoring and alerting capabilities +4. Corp - Used to host application workloads that do not need to be accessed from the public internet +5. Confidential Corp - Used to host application workloads that do not need to be accessed from the public internet but require use of confidential computing +6. Online - Used to host application workloads that do need to be accessed from the public internet +7. Confidential Online - Used to host application workloads that do need to be accessed from the public internet but require use of confidential computing +8. [Sandbox](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/sandbox-environments) - Used to host isolated environments for testing workloads and capabilities +9. [Decommissioned](https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/migration-considerations/optimize/decommission) - Used to host workloads or capabilities that are retired, but still need to be retained + +# Landing Zone Vending + +[Subscription vending](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending) provides a platform mechanism for programmatically issuing subscriptions to application teams that need to deploy workloads. This notion allows for an organization's governance and security teams to build controls and a process around subscription creation, then application teams can request a new subscription for their workload on demand after making a few choices. + +[Landing zone vending](https://github.com/Azure/bicep-lz-vending) is a GitHub repository provides the automation to deploy landing zones for workloads within the SLZ Preview. It is recommended for an organization's governance and security teams to review the parameters available in this module and enforce certain values for some, while leaving the others up to the requesting team to fill out. Once all values are added, then a pipeline running with a highly privileged account would create the landing zone and grant reduced permissions to the development team to deploy their workload within. + +It is recommended to not allow a development team set the following values: + +* subscriptionBillingScope +* subscriptionTenantId +* virtualNetworkDdosPlanId +* virtualNetworkLocation +* hubNetworkResourceId + +It is recommended to allow a development to set the following values: + +* subscriptionDisplayName +* subscriptionAliasName +* subscriptionWorkload +* subscriptionManagementGroupId + +However, organizations may customize these lists further and provide certain allowed values that a development team can request. + +# SLZ Preview Logging + +To support usage of the landing zone vending module and [running individual deployment steps](Pipeline-Deployments.md), during every execution of the SLZ Preview key resources will be logged to a CSV file. These log files will be stored in `/orchestration/scripts/outputs` and will be timestamped with the deployment name in the title. + +The CSV file has the following columns: +* Resource Name - The human readable resource name +* Resource Type - The resource type useful for filtering the CSV +* Resource Id - The unique identifier for the resource that's commonly needed as a parameter +* Deployment Module - The deployment module where this resource is created +* Comments - A human readable comment about where this value is commonly used + +# Workload Templates + +Microsoft Cloud for Sovereignty has published a variety of [workload templates](https://github.com/Azure/cloud-for-sovereignty-quickstarts) including a sample application that are designed to be deployed within the SLZ Preview. These are useful resources to reference during the workload migration process. diff --git a/docs/scenarios/Piloting-SLZ.md b/docs/scenarios/Piloting-SLZ.md new file mode 100644 index 00000000..c0c56f4a --- /dev/null +++ b/docs/scenarios/Piloting-SLZ.md @@ -0,0 +1,27 @@ +# Sovereign Landing Zone Pilots + +The numbered getting started docs are intended to overview the steps that would be required for a production deployment of the SLZ Preview. However, this often requires greater permissions and has a higher cost than what an organization may be willing to spend while they are conducting a pilot. + +## Reduced Permissions + +**Note** the reduced permission set listed below is pending completion this feature. Documentation is being left as-is to show the current direction. When the feature is finished, this note will be removed and it will be listed in the release notes. For the time being, Global Administrator with elevated Azure permissions are required. The `Confirm-SovereignLandingZonePrerequisites.ps1` script will not attempt to automatically elevate Azure permissions when using a child management group as the top-level. + +Reference the production deployment [permission setup](../05-Permissions-Tooling.md) for the recommended steps. For pilot deployments, there are a few additional recommendations. + +1. **Use existing subscriptions** + * This means the identity being used to deploy the SLZ Preview does not need broad permissions to create subscriptions, but can be given a set of existing subscriptions to use. + * See the [using existing subscriptions](./Using-Existing-Subscriptions.md) doc for more details. +2. **Use a child management group as the top-level** + * By default the SLZ Preview will attempt to create a top-level management group to store all resources at the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) level. This is a very board permission that may allow the identity to alter any resource within the tenant. + * Instead, it is recommended to create a new management group at some other level and assign the broad permissions there so the identity deploying the SLZ Preview will have no ability to other existing Azure resources. + * The SLZ Preview can be configured to deploy within this new management group via the `parTopLevelManagementGroupParentId` parameter. View our [parameter guidance](../07-Deployment-Parameters.md) doc for further details on configuring the SLZ Preview. + * **Note** Using the `parTopLevelManagementGroupParentId` parameter to separate multiple SLZ Preview deployments is also the recommended approach for managing multiple side-by-side deployments as is needed to meet development, testing, and isolation requirements. + +## Reduced Resources + +It is crucial to be conscientious of the cost implications when conducting a pilot. It is worth considering if the following resources are required for the pilot and making the following changes in the parameter file to disable them if they are not: + +1. [Azure DDos Protection](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview) - This can be disabled by setting the `parDeployDdosProtection` value to `false` +2. [Azure Firewall](https://learn.microsoft.com/azure/firewall/overview) - This can be disabled by setting the `parEnableFirewall` value to `false`. + * If Azure Firewall is needed, consider using the basic SKU by setting `parUsePremiumFirewall` to `false` +3. [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) - This can be disabled by setting the `parDeployBastion` value to `false`. diff --git a/docs/scenarios/Pipeline-Deployments.md b/docs/scenarios/Pipeline-Deployments.md new file mode 100644 index 00000000..1ed0065d --- /dev/null +++ b/docs/scenarios/Pipeline-Deployments.md @@ -0,0 +1,59 @@ +# Deploying the SLZ Preview in a Pipeline + +While the SLZ Preview deployment process works well to be executed manually, it can also easily be executed in a pipeline. This will require that a [service principal (SPN)](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal) has been granted the same [required permissions](../05-Permissions-Tooling.md) that a user must have, and that the SPN is bound to a [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#azure-resource-manager-service-connection) and used during the [pipeline execution](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection). There are a few considerations when doing this: + +## Running in Unattended Mode + +When the SLZ Preview deployment script is executed, it will check for dependencies and prompt the user for information. This is not suitable for pipeline deployments where it is not possible to interact with the script. Pipelines can execute the same flow without being prompted by running the script in unattended mode: + +``` +.\New-SovereignLandingZone.ps1 -parDeployment all -parAttendedLogin $false +``` + +Unattended mode will expect that an identity has already been logged in and that their AZ context is setup to the appropriate tenant. + +## Multiple Parameter Files + +When the SLZ Preview deployment script is executed, it will reference the [parameter file](../../orchestration/scripts/parameters/sovereignLandingZone.parameters.json) for all values required for the deployment. This is not suitable for pipeline deployments where you may not want to have the parameter file checked into the same repository as the code, or when you want to use manage multiple deployments. The deployment script can be directed to find the parameter file at a different path: + +``` +.\New-SovereignLandingZone.ps1 -parDeployment all -parParametersFilePath path/to/parameter/file.json +``` + +## Individual Deployment Steps + +The SLZ Preview deployment script has [multiple steps](../03-Deployment-Overview.md) that can be deployed individually. It is useful to run a singular deployment step to speed up the deployment process when the change that needs to be deployed is limited to one deployment step. For instance, adding new custom policies does not require redeploying the entire platform, but instead can be executed by setting the appropriate `parDeployment` CLI parameter: + +``` +.\New-SovereignLandingZone.ps1 -parDeployment compliance +``` + +Or by running: + +``` +.\New-Compliance.ps1 +``` + +These are the deployment steps: + +|Step Name|parDeployment value|Individual Script|Description| +|---------|-------------------|-----------------|-----------| +|Bootstrap|bootstrap|New-Bootstrap.ps1|Deploys the management groups and subscriptions| +|Platform|platform|New-Platform.ps1|Deploys all Azure resources| +|Compliance|compliance|New-Compliance.ps1|Deploys and assigns all Azure policies| +|Dashboard|dashboard|New-Dashboard.ps1|Deploys the compliance dashboard| +|Policy Exemptions|policyexemption|New-PolicyExemption.ps1|Deploys all custom policy exemptions| +|Policy Remediations|policyremediation|New-PolicyRemediation.ps1|Executes all policy remediations and scans| + +## Required Parameters + +These deployment steps also have additional required parameters as the SLZ Preview deployment script will not attempt to query an environment to determine these values. An individual deployment step will also have the required parameters of the deployment steps that are before it. For instance the `Compliance` step will also need the `Platform` step's required parameters. Every execution of the SLZ Preview will log key resources including these required parameters to a CSV file. These log files will be stored in `/orchestration/scripts/outputs` and will be timestamped with the deployment name in the title. + +|Step Name|Required Parameters| +|---------|-------------------| +|Bootstrap|N/A| +|Platform|`parManagementSubscriptionId`
`parIdentitySubscriptionId`
`parConnectivitySubscriptionId`| +|Compliance|`parLogAnalyticsWorkspaceId`
`parAutomationAccountName`
`parPrivateDnsResourceGroupId`
`parDdosProtectionResourceId` (if `parDeployDdosProtection` is `true`)| +|Dashboard|N/A| +|Policy Exemptions|N/A| +|Policy Remediations|N/A| diff --git a/docs/scenarios/README.md b/docs/scenarios/README.md new file mode 100644 index 00000000..788d40b1 --- /dev/null +++ b/docs/scenarios/README.md @@ -0,0 +1,13 @@ +# Sovereign Landing Zone Preview Scenarios + +The following are common scenarios found during initial deployment or through operational tasks within an SLZ Preview deployment. + +1. [Conducting a pilot of the SLZ Preview](./Piloting-SLZ.md) +2. [Deploying the SLZ Preview in a pipeline](./Pipeline-Deployments.md) +3. [Using existing subscriptions for the SLZ Preview](./Using-Existing-Subscriptions.md) +4. [What is the Sovereignty Policy Baseline](./Sovereignty-Policy-Baseline.md) +5. [Using built-in policies or the Policy Portfolio](./Using-Policy-Portfolio.md) +6. [Custom Azure Policies within the SLZ Preview](./Custom-Policies.md) +7. [Customizing the compliance dashboard](./Extending-Compliance-Dashboard.md) +8. [Deploying application or platform landing zones](./Landing-Zone-Vending.md) +9. [Adding additional landing zone management groups](./Expanding-SLZ-ManagementGroups.md) diff --git a/docs/scenarios/Removing-Policy-Assignments.md b/docs/scenarios/Removing-Policy-Assignments.md new file mode 100644 index 00000000..63258e55 --- /dev/null +++ b/docs/scenarios/Removing-Policy-Assignments.md @@ -0,0 +1,66 @@ +# Removing Policy Assignments + +There are several options for the SLZ Preview to deploy policies. However, the SLZ Preview does not remove policy assignments by design. Policy assignments are the technical guardrails used by governance and security teams, and we want removing of policy assignments to be an intentional effort instead of an accidental one caused by a misconfiguration. To remove a policy assignment, the SLZ Preview parameter file needs to be updated to ensure it does not attempt to recreate the assignment then a secondary or manual process must go through and remove the assignment. + +Upgrades to the Sovereignty Policy Baseline or any of the built-in Policy Portfolio initiatives will be automatically addressed without secondary steps or manual intervention. + +## Removing Old Custom Policies + +Update the [custom policy definitions](../../custom/policies/definitions/) by removing the old policies out of the definitions and incrementing the version number before redeploying the SLZ Preview. The SLZ Preview will automatically remove the old definition assignment during the upgrade process. + +## Removing Old Policy Portfolio Assignments + +Update the SLZ Preview parameter file and remove the old assignment out of the `parCustomerPolicySets` parameter. This will prevent the SLZ Preview from deploying the assignment in the future. + +Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment. In the policies blade, find the assignment with the same name and manually delete it. + +## Removing the ALZ Policies + +Update the SLZ Preview parameter file and set `parDeployAlzDefaultPolicies` to `false`. This will prevent the SLZ Preview from deploying the ALZ Policies in the future. + +Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment. + + ![alz-delete-initiative-assignments](../images/alz-update-initiative-with-builtin-04.png) + +- For each assignment, click the ellipsis and select Delete Assignment. +- Once all initiative assignments are deleted, go to the Definitions pane, search for the initiative definition. Once found click the ellipsis and choose Delete Policy Definition. + + ![alz-custom-initiative-def-search](../images/alz-update-initiative-with-builtin-01.png) +- For implementation details refer to the [ALZ Assignment Deletion](https://github.com/Azure/ALZ-Bicep/blob/da0af7a5a1f21825b497017f52264df2d29aa0a6/docs/wiki/PolicyDeepDive.md) docs, and for design consideration refer to the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) doc. + +## ALZ Policy Assignments + +| **Assignment Name** | **Definition Name** | +|--------------------------|---------------------------| +|Deploy Microsoft Defender for Cloud configuration|Deploy Microsoft Defender for Cloud configuration| +|Deploy-Resource-Diag |Deploy Diagnostic Settings to Azure Services | +|Deploy Diagnostic Settings for Activity Log to Log Analytics workspace |Configure Azure Activity logs to stream to specified Log Analytics workspace | +|[Preview]: Deploy Microsoft Defender for Endpoint agent |[Preview]: Deploy Microsoft Defender for Endpoint agent | +|Enable Azure Monitor for Virtual Machine Scale Sets |Enable Azure Monitor for Virtual Machine Scale Sets | +|Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances |Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances | +|Configure Advanced Threat Protection to be enabled on open-source relational databases |Configure Advanced Threat Protection to be enabled on open-source relational databases | +|Enable Azure Monitor for VMs |Enable Azure Monitor for VMs | +|Deny the deployment of classic resources |Not allowed resource types | +|Enforce ALZ Decommissioned Guardrails |Enforce ALZ Decommissioned Guardrails | +|Subnets should have a Network Security Group |Subnets should have a Network Security Group | +|Management port access from the Internet should be blocked |Management port access from the Internet should be blocked | +|Web Application Firewall (WAF) should be enabled for Application Gateway |Web Application Firewall (WAF) should be enabled for Application Gateway | +|Kubernetes clusters should not allow container privilege escalation |Kubernetes clusters should not allow container privilege escalation | +|Kubernetes clusters should be accessible only over HTTPS |Kubernetes clusters should be accessible only over HTTPS | +|Kubernetes cluster should not allow privileged containers |Kubernetes cluster should not allow privileged containers | +|Network interfaces should disable IP forwarding |Network interfaces should disable IP forwarding | +|Enforce recommended guardrails for Azure Key Vault |Enforce recommended guardrails for Azure Key Vault | +|Secure transfer to storage accounts should be enabled |Secure transfer to storage accounts should be enabled | +|Deploy Threat Detection on SQL servers |Configure Azure Defender to be enabled on SQL servers | +|Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy |Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | +|Deploy TDE on SQL servers |Deploy TDE on SQL servers | +|Deploy Azure Policy Add-on to Azure Kubernetes Service clusters |Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | +|Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit |Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit | +|Configure SQL servers to have auditing enabled to Log Analytics workspace |Configure SQL servers to have auditing enabled to Log Analytics workspace | +|Deny the deployment of vWAN/ER/VPN gateway resources |Not allowed resource types | +|Audit Private Link Private DNS Zone resources |Audit the creation of Private Link Private DNS Zones | +|Public network access should be disabled for PaaS services |Public network access should be disabled for PaaS services | +|Deny network interfaces having a public IP associated |Network interfaces should not have public IPs | +|Configure Azure PaaS services to use private DNS zones |Configure Azure PaaS services to use private DNS zones | +|Deny the creation of public IP |Not allowed resource types | +|Deploy-Log-Analytics |Configure Log Analytics workspace and automation account to centralize logs and monitoring | diff --git a/docs/scenarios/Sovereignty-Policy-Baseline.md b/docs/scenarios/Sovereignty-Policy-Baseline.md new file mode 100644 index 00000000..9b7313f9 --- /dev/null +++ b/docs/scenarios/Sovereignty-Policy-Baseline.md @@ -0,0 +1,54 @@ +# Sovereignty Policy Baseline + +The Sovereignty Policy Baseline (baseline) is one of the sets of policies in the [Microsoft Cloud for Sovereignty Portfolio](https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline). It comes deployed within every SLZ Preview environment and can be [used outside an SLZ Preview](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio/) environment. + +The baseline is intended to supplement existing security control frameworks used by customers today with Azure policies that are grouped into the sovereignty control objectives listed below. It is not intended to replace a security control framework or fully meet the sovereignty control objectives by themselves. It should be viewed as providing a guardrail starting point for best practices past what traditional control frameworks may require and supports an organization's effort in addressing the listed control objectives. + +The baseline does this by introducing the notion of **customer-defined sensitive** data, which is not meant to map to any data classification framework. Instead it is there to differentiate data that an organization denotes as having additional sovereignty requirements. The below sovereignty control objectives are examples of the types of controls that an organization may have for protecting **customer-defined sensitive** data. The related policies to these objectives are only assigned to the confidential scopes while other controls are applied to all resources. + +## Configuring the Baseline + +The following parameters are useful for configuring the policy baseline: + +1. `parAllowedLocations` - This is applied to all resources to restrict the regions where they can be deployed. +2. `parAllowedLocationsForConfidentialComputing` - This is applied to all resources within the confidential scopes to restrict the regions where they can be deployed. Resources under this scope are exempt from the `parAllowedLocations` rule to support cases where confidential computing is not currently available in the desired region. +3. `parPolicyEffect` - This is the policy effect used by all policies within the baseline that supports the effect. + +## Sovereignty Control Objectives + +### SO-1 + +**Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based upon customer-defined requirements.** + +The related policies are in the `dashboard-Data Residency` group within these files: + +* [SLZ Global Defaults](../../modules/compliance/policySetDefinitions/slzGlobalDefaults.json) +* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json) + +### SO-2 + +**Customers must approve the access of customer data by cloud and managed service operators.** + +There is no policy in the baseline that supports this and it is intended to be addressed by enabling [Customer Lockbox](https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview). + +### SO-3 + +**Customer-defined sensitive customer data must only be accessible in an encrypted manner to cloud and managed service operators.** + +The related policies are in the `dashboard-Confidential Computing` group within these files: + +* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json) + +**Note** The resources are intended to be restricted to only those that have SKUs backed by confidential computing or do not process customer data. If this list is too restrictive, users are recommended to add other approved resources to the [allowed resources list](../../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json) in the assignment definition. + +### SO-4 + +**The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.** + +The related policies are in the `dashboard-Key Management` group within these files: + +* [SLZ Confidential Defaults](../../modules/compliance/policySetDefinitions/slzConfidentialDefaults.json) + +## Improvement Ideas + +The Sovereignty Policy Baseline is exploring a new space and we are eager to hear any suggestions about how they should be structured, other control objectives that should be included, how they should support specific workload architectures, or any other areas. Please submit any [feedback or improvement ideas](https://github.com/Azure/sovereign-landing-zone/issues/new/choose) you may have. diff --git a/docs/scenarios/Using-Existing-Subscriptions.md b/docs/scenarios/Using-Existing-Subscriptions.md new file mode 100644 index 00000000..dddf3737 --- /dev/null +++ b/docs/scenarios/Using-Existing-Subscriptions.md @@ -0,0 +1,22 @@ +# Using Existing Subscriptions + +In some cases the user will not be able to use the SLZ Preview to create subscriptions. This often happens for organizations that procure subscriptions through a partner or when an organization's policy requires the user to procure subscriptions through another internal team or process. + +In either case, the lifecycle for subscriptions does not need to be managed by the SLZ Preview and the SLZ Preview can be configured to use existing subscriptions. In this case the user will still require the permissions described [during the setup steps](../05-Permissions-Tooling.md) as well as the [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) permission within all subscriptions being used. + +It is recommended for these subscriptions to follow the same naming convention as the SLZ Preview deployed ones: +1. `{parDeploymentPrefix}-connectivity{parDeploymentSuffix}` +2. `{parDeploymentPrefix}-identity{parDeploymentSuffix}` +3. `{parDeploymentPrefix}-management{parDeploymentSuffix}` + +Although any naming convention can be used. To configure the SLZ Preview to use these subscriptions when deploying resources, update the parameters file with the following values: +1. `parConnectivitySubscriptionId`.value + * The ID of the `{parDeploymentPrefix}-connectivity{parDeploymentSuffix}` subscription. +2. `parIdentitySubscriptionId`.value + * The ID of the `{parDeploymentPrefix}-identity{parDeploymentSuffix}` subscription. +3. `parManagementSubscriptionId`.value + * The ID of the `{parDeploymentPrefix}-management{parDeploymentSuffix}` subscription. + +## Deployments in a Singular Subscription + +While it is technically possible to use the same subscription ID for all 3 default subscriptions to effectively deploy the SLZ Preview into one subscription, this is not a supported scenario and there may be unexpected conflicts. diff --git a/docs/scenarios/Using-Policy-Portfolio.md b/docs/scenarios/Using-Policy-Portfolio.md new file mode 100644 index 00000000..f0779193 --- /dev/null +++ b/docs/scenarios/Using-Policy-Portfolio.md @@ -0,0 +1,7 @@ +# Using the Policy Portfolio + +The Microsoft Cloud for Sovereignty has as [Policy Portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) with each set of initiatives within the portfolio designed to help an organization demonstrate compliance against a country or industry specific regulation. Our [public documentation](https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline) contains more information. + +All sets of initiatives within the policy portfolio can be used in any landing zone, but have also been tested against workloads running within the SLZ Preview. For the [sets of policies](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) that are not yet built-in, their definitions will need to be deployed in the top-level or parent management group for the SLZ Preview prior to being deployed. Follow the documentation within the portfolio repository for more details. All others will be built-in and no additional setup steps are required. + +To use one or more policy sets from the policy portfolio update the `parCustomerPolicySets` parameter with the assignment information. These assignments will be created at the top-level management group for the SLZ Preview and will apply to all resources contained within. All policy sets within the portfolio have safe defaults, so no additional configuration is required to get started with them. The `parCustomerPolicySets` parameter does not allow for Azure policy assignment parameters to be passed. diff --git a/modules/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep new file mode 100644 index 00000000..02417d1d --- /dev/null +++ b/modules/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,72 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +@sys.description('Required. The IDs of the principals to assign the role to.') +param parPrincipalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param parRoleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param parResourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param parPrincipalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param parDescription string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') +param parCondition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param parConditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param parDelegatedManagedIdentityResourceId string = '' + +var varBuiltInRoleNames = { + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') + 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource resUserMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + name: any(last(split(parResourceId, '/'))) +} + +resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in parPrincipalIds: { + name: guid(resUserMsi.id, principalId, parRoleDefinitionIdOrName) + properties: { + description: parDescription + roleDefinitionId: contains(varBuiltInRoleNames, parRoleDefinitionIdOrName) ? varBuiltInRoleNames[parRoleDefinitionIdOrName] : parRoleDefinitionIdOrName + principalId: principalId + principalType: !empty(parPrincipalType) ? any(parPrincipalType) : null + condition: !empty(parCondition) ? parCondition : null + conditionVersion: !empty(parConditionVersion) && !empty(parCondition) ? parConditionVersion : null + delegatedManagedIdentityResourceId: !empty(parDelegatedManagedIdentityResourceId) ? parDelegatedManagedIdentityResourceId : null + } + scope: resUserMsi +}] diff --git a/modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep b/modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep new file mode 100644 index 00000000..b7ec97e9 --- /dev/null +++ b/modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep @@ -0,0 +1,87 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Creates a user assigned identity and optionally assigns RBAC roles to it. +*/ + +@description('Optional. Name of the User Assigned Identity.') +param parName string = guid(resourceGroup().id) + +@description('Optional. Location for all resources.') +param parLocation string = resourceGroup().location + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param parLock string = '' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param parRoleAssignments array = [] + +@description('Optional. Tags of the resource.') +param parTags object = {} + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param parEnableDefaultTelemetry bool = true + +// Create default telemetry deployment +resource resDefaultTelemetry 'Microsoft.Resources/deployments@2022-09-01' = if (parEnableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, parLocation)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +// Create user assigned identity +resource resUserMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: parName + location: parLocation + tags: parTags +} + +// Create locks on user assigned identity +resource resUserMsiLock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(parLock)) { + name: '${resUserMsi.name}-${parLock}-lock' + properties: { + level: any(parLock) + notes: parLock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: resUserMsi +} + +// Create role assignments +module modUserMsiRoleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in parRoleAssignments: { + name: '${uniqueString(deployment().name, parLocation)}-UserMSI-Rbac-${index}' + params: { + parDescription: contains(roleAssignment, 'description') ? roleAssignment.description : '' + parPrincipalIds: roleAssignment.principalIds + parPrincipalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + parRoleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + parCondition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + parDelegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + parResourceId: resUserMsi.id + } +}] + +@description('The name of the user assigned identity.') +output outName string = resUserMsi.name + +@description('The resource ID of the user assigned identity.') +output outResourceId string = resUserMsi.id + +@description('The principal ID of the user assigned identity.') +output outPrincipalId string = resUserMsi.properties.principalId + +@description('The resource group the user assigned identity was deployed into.') +output outResourceGroupName string = resourceGroup().name + +@description('The location the resource was deployed into.') +output outLocation string = resUserMsi.location diff --git a/modules/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md b/modules/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md new file mode 100644 index 00000000..cd2c7692 --- /dev/null +++ b/modules/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md @@ -0,0 +1,212 @@ +# User Assigned Identities `[Microsoft.ManagedIdentity/userAssignedIdentities]` + +This module deploys a user assigned identity. + +## Navigation + +- [Resource types](#Resource-types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Deployment examples](#Deployment-examples) + +## Resource types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.ManagedIdentity/userAssignedIdentities` | [2018-11-30](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ManagedIdentity/2018-11-30/userAssignedIdentities) | + +## Parameters + +**Optional parameters** +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | +| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `name` | string | `[guid(resourceGroup().id)]` | | Name of the User Assigned Identity. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `tags` | object | `{object}` | | Tags of the resource. | + + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +
+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the user assigned identity. | +| `principalId` | string | The principal ID of the user assigned identity. | +| `resourceGroupName` | string | The resource group the user assigned identity was deployed into. | +| `resourceId` | string | The resource ID of the user assigned identity. | + +## Cross-referenced modules + +_None_ + +## Deployment examples + +The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. + + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +

Example 1: Parameters

+ +
+ +via Bicep module + +```bicep +module userAssignedIdentities './Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-UserAssignedIdentities' + params: { + lock: 'CanNotDelete' + name: '<>-az-msi-x-001' + roleAssignments: [ + { + principalIds: [ + '<>' + ] + roleDefinitionIdOrName: 'Reader' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "lock": { + "value": "CanNotDelete" + }, + "name": { + "value": "<>-az-msi-x-001" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "<>" + ], + "roleDefinitionIdOrName": "Reader" + } + ] + } + } +} +``` + +
+

diff --git a/modules/compliance/customCompliance.bicep b/modules/compliance/customCompliance.bicep new file mode 100644 index 00000000..e72ee787 --- /dev/null +++ b/modules/compliance/customCompliance.bicep @@ -0,0 +1,425 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Deploys the Management Groups and Subscriptions for the Sovereign Landing Zone + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string + +@description('An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to.') +param parIdentityRoleAssignmentsSubs array + +@description('The role definition ids for permissions.') +param parRoleDefinitionIds array + +// Managment Groups Varaibles - Used For Policy Assignments +var varManagementGroupIDs = { + intRoot: '${parDeploymentPrefix}${parDeploymentSuffix}' + platform: '${parDeploymentPrefix}-platform${parDeploymentSuffix}' + platformManagement: '${parDeploymentPrefix}-platform-management${parDeploymentSuffix}' + platformConnectivity: '${parDeploymentPrefix}-platform-connectivity${parDeploymentSuffix}' + platformIdentity: '${parDeploymentPrefix}-platform-identity${parDeploymentSuffix}' + landingZones: '${parDeploymentPrefix}-landingzones${parDeploymentSuffix}' + landingZonesCorp: '${parDeploymentPrefix}-landingzones-corp${parDeploymentSuffix}' + landingZonesOnline: '${parDeploymentPrefix}-landingzones-online${parDeploymentSuffix}' + landingZonesConfidentialCorp: '${parDeploymentPrefix}-landingzones-confidential-corp${parDeploymentSuffix}' + landingZonesConfidentialOnline: '${parDeploymentPrefix}-landingzones-confidential-online${parDeploymentSuffix}' + decommissioned: '${parDeploymentPrefix}-decommissioned${parDeploymentSuffix}' + sandbox: '${parDeploymentPrefix}-sandbox${parDeploymentSuffix}' +} + +var varTopLevelManagementGroupResourceID = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIDs.intRoot}' + +// Policy Assignments Modules Variables + +var varGlobalCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzGlobalCustom.json') +var varGlobalCustomPolicies = { + definitionID: replace('${varGlobalCustomPoliciesLibDef.id}.v${varGlobalCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json') + libDefinition: varGlobalCustomPoliciesLibDef + version: replace('v${varGlobalCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varLandingZonesPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzLandingZoneCustom.json') +var varLandingZonesPolicies = { + definitionID: replace('${varLandingZonesPoliciesLibDef.id}.v${varLandingZonesPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json') + libDefinition: varLandingZonesPoliciesLibDef + version: replace('v${varLandingZonesPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varConfidentialCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzConfidentialCustom.json') +var varConfidentialCustomPolicies = { + definitionID: replace('${varConfidentialCustomPoliciesLibDef.id}.v${varConfidentialCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json') + libDefinition: varConfidentialCustomPoliciesLibDef + version: replace('v${varConfidentialCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varCorpCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzCorpCustom.json') +var varCorpCustomPolicies = { + definitionID: replace('${varCorpCustomPoliciesLibDef.id}.v${varCorpCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json') + libDefinition: varCorpCustomPoliciesLibDef + version: replace('v${varCorpCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varOnlineCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzOnlineCustom.json') +var varOnlineCustomPolicies = { + definitionID: replace('${varOnlineCustomPoliciesLibDef.id}.v${varOnlineCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json') + libDefinition: varOnlineCustomPoliciesLibDef + version: replace('v${varOnlineCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varPlatformCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzPlatformCustom.json') +var varPlatformCustomPolicies = { + definitionID: replace('${varPlatformCustomPoliciesLibDef.id}.v${varPlatformCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json') + libDefinition: varPlatformCustomPoliciesLibDef + version: replace('v${varPlatformCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varConnectivityCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzConnectivityCustom.json') +var varConnectivityCustomPolicies = { + definitionID: replace('${varConnectivityCustomPoliciesLibDef.id}.v${varConnectivityCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json') + libDefinition: varConnectivityCustomPoliciesLibDef + version: replace('v${varConnectivityCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varIdentityCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzIdentityCustom.json') +var varIdentityCustomPolicies = { + definitionID: replace('${varIdentityCustomPoliciesLibDef.id}.v${varIdentityCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json') + libDefinition: varIdentityCustomPoliciesLibDef + version: replace('v${varIdentityCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varManagementCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzManagementCustom.json') +var varManagementCustomPolicies = { + definitionID: replace('${varManagementCustomPoliciesLibDef.id}.v${varManagementCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json') + libDefinition: varManagementCustomPoliciesLibDef + version: replace('v${varManagementCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varSandboxCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzSandboxCustom.json') +var varSandboxCustomPolicies = { + definitionID: replace('${varSandboxCustomPoliciesLibDef.id}.v${varSandboxCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json') + libDefinition: varSandboxCustomPoliciesLibDef + version: replace('v${varSandboxCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varDecommissionedCustomPoliciesLibDef = loadJsonContent('../../custom/policies/definitions/slzDecommissionedCustom.json') +var varDecommissionedCustomPolicies = { + definitionID: replace('${varDecommissionedCustomPoliciesLibDef.id}.v${varDecommissionedCustomPoliciesLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('../../custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json') + libDefinition: varDecommissionedCustomPoliciesLibDef + version: replace('v${varDecommissionedCustomPoliciesLibDef.properties.metadata.version}', '.', '') +} + +var varDeploymentNameWrappers = { + basePrefix: parDeploymentPrefix + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: deployment().location +} + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootSlzCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-slzCustom-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentPlatformCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-platformCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentSandboxCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-sandboxCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentDecommissionedCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-decomCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentLandingZoneCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-landingZoneCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentCorpCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-corpCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentOnlineCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-onlineCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentConfidentialCorpCustom_Confidential: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confidentialCorpCustom_Confidential-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentConfidentialCorpCustom_Corp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confidentialCorpCustom_Corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentConfidentialOnlineCustom_Confidential: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confidentialOnlineCustom_Confidential-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentConfidentialOnlineCustom_Online: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confidentialOnlineCustom_Online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentConnectivityCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-connectivityCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentIdentityCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-identityCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) + modPolicyAssignmentManagementCustom: take('${varDeploymentNameWrappers.basePrefix}-polAssi-managementCustom-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}-${parTimestamp}', 64) +} + +// Module - Policy Assignments - Root Management Group +module modPolicyAssignmentGlobalCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varGlobalCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentIntRootSlzCustom + scope: managementGroup(varManagementGroupIDs.intRoot) + params: { + parPolicyAssignmentDefinitionId: varGlobalCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varGlobalCustomPolicies.libAssignment.properties.description} ${varGlobalCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varGlobalCustomPolicies.libAssignment.properties.displayName} ${varGlobalCustomPolicies.version}' + parPolicyAssignmentName: take('${varGlobalCustomPolicies.libAssignment.name}${varGlobalCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Decommisioned Management Group +module modPolicyAssignmentDecommissionedCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varDecommissionedCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentDecommissionedCustom + scope: managementGroup(varManagementGroupIDs.decommissioned) + params: { + parPolicyAssignmentDefinitionId: varDecommissionedCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varDecommissionedCustomPolicies.libAssignment.properties.description} ${varDecommissionedCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varDecommissionedCustomPolicies.libAssignment.properties.displayName} ${varDecommissionedCustomPolicies.version}' + parPolicyAssignmentName: take('${varDecommissionedCustomPolicies.libAssignment.name}${varDecommissionedCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Management Group +module modPolicyAssignmentLandingZoneCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varLandingZonesPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentLandingZoneCustom + scope: managementGroup(varManagementGroupIDs.landingZones) + params: { + parPolicyAssignmentDefinitionId: varLandingZonesPolicies.definitionID + parPolicyAssignmentDescription: '${varLandingZonesPolicies.libAssignment.properties.description} ${varLandingZonesPolicies.version}' + parPolicyAssignmentDisplayName: '${varLandingZonesPolicies.libAssignment.properties.displayName} ${varLandingZonesPolicies.version}' + parPolicyAssignmentName: take('${varLandingZonesPolicies.libAssignment.name}${varLandingZonesPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Confidential Corp Management Group +module modPolicyAssignmentConfidentialCorpCustom_Confidential '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varConfidentialCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialCorpCustom_Confidential + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialCorp) + params: { + parPolicyAssignmentDefinitionId: varConfidentialCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varConfidentialCustomPolicies.libAssignment.properties.description} ${varConfidentialCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varConfidentialCustomPolicies.libAssignment.properties.displayName} ${varConfidentialCustomPolicies.version}' + parPolicyAssignmentName: take('${varConfidentialCustomPolicies.libAssignment.name}${varConfidentialCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +module modPolicyAssignmentConfidentialCorpCustom_Corp '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varCorpCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialCorpCustom_Corp + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialCorp) + params: { + parPolicyAssignmentDefinitionId: varCorpCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varCorpCustomPolicies.libAssignment.properties.description} ${varCorpCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varCorpCustomPolicies.libAssignment.properties.displayName} ${varCorpCustomPolicies.version}' + parPolicyAssignmentName: take('${varCorpCustomPolicies.libAssignment.name}${varCorpCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Confidential Online Management Group +module modPolicyAssignmentConfidentialOnlineCustom_Confidential '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varConfidentialCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialOnlineCustom_Confidential + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialOnline) + params: { + parPolicyAssignmentDefinitionId: varConfidentialCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varConfidentialCustomPolicies.libAssignment.properties.description} ${varConfidentialCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varConfidentialCustomPolicies.libAssignment.properties.displayName} ${varConfidentialCustomPolicies.version}' + parPolicyAssignmentName: take('${varConfidentialCustomPolicies.libAssignment.name}${varConfidentialCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Confidential Online Management Group +module modPolicyAssignmentConfidentialOnlineCustom_Online '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varOnlineCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialOnlineCustom_Online + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialOnline) + params: { + parPolicyAssignmentDefinitionId: varOnlineCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varOnlineCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varOnlineCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}' + parPolicyAssignmentName: take('${varOnlineCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Corp Management Group +module modPolicyAssignmentCorpCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varCorpCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentCorpCustom + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + params: { + parPolicyAssignmentDefinitionId: varOnlineCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varCorpCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varCorpCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}' + parPolicyAssignmentName: take('${varCorpCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Online Management Group +module modPolicyAssignmentOnlineCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varOnlineCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentOnlineCustom + scope: managementGroup(varManagementGroupIDs.landingZonesOnline) + params: { + parPolicyAssignmentDefinitionId: varOnlineCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varOnlineCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varOnlineCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}' + parPolicyAssignmentName: take('${varOnlineCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Management Group +module modPolicyAssignmentPlatformCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varPlatformCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentPlatformCustom + scope: managementGroup(varManagementGroupIDs.platform) + params: { + parPolicyAssignmentDefinitionId: varPlatformCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varPlatformCustomPolicies.libAssignment.properties.description} ${varPlatformCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varPlatformCustomPolicies.libAssignment.properties.displayName} ${varPlatformCustomPolicies.version}' + parPolicyAssignmentName: take('${varPlatformCustomPolicies.libAssignment.name}${varPlatformCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Connectivity Management Group +module modPolicyAssignmentConnectivityCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varConnectivityCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentConnectivityCustom + scope: managementGroup(varManagementGroupIDs.platformConnectivity) + params: { + parPolicyAssignmentDefinitionId: varConnectivityCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varConnectivityCustomPolicies.libAssignment.properties.description} ${varConnectivityCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varConnectivityCustomPolicies.libAssignment.properties.displayName} ${varConnectivityCustomPolicies.version}' + parPolicyAssignmentName: take('${varConnectivityCustomPolicies.libAssignment.name}${varConnectivityCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Identity Management Group +module modPolicyAssignmentIdentityCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varIdentityCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentIdentityCustom + scope: managementGroup(varManagementGroupIDs.platformIdentity) + params: { + parPolicyAssignmentDefinitionId: varIdentityCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varIdentityCustomPolicies.libAssignment.properties.description} ${varIdentityCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varIdentityCustomPolicies.libAssignment.properties.displayName} ${varIdentityCustomPolicies.version}' + parPolicyAssignmentName: take('${varIdentityCustomPolicies.libAssignment.name}${varIdentityCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Management Management Group +module modPolicyAssignmentManagementCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varManagementCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentManagementCustom + scope: managementGroup(varManagementGroupIDs.platformManagement) + params: { + parPolicyAssignmentDefinitionId: varManagementCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varManagementCustomPolicies.libAssignment.properties.description} ${varManagementCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varManagementCustomPolicies.libAssignment.properties.displayName} ${varManagementCustomPolicies.version}' + parPolicyAssignmentName: take('${varManagementCustomPolicies.libAssignment.name}${varManagementCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Sandbox Management Group +module modPolicyAssignmentSandboxCustom '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSandboxCustomPolicies.libDefinition.properties.policyDefinitions)) { + name: varModuleDeploymentNames.modPolicyAssignmentSandboxCustom + scope: managementGroup(varManagementGroupIDs.sandbox) + params: { + parPolicyAssignmentDefinitionId: varSandboxCustomPolicies.definitionID + parPolicyAssignmentDescription: '${varSandboxCustomPolicies.libAssignment.properties.description} ${varSandboxCustomPolicies.version}' + parPolicyAssignmentDisplayName: '${varSandboxCustomPolicies.libAssignment.properties.displayName} ${varSandboxCustomPolicies.version}' + parPolicyAssignmentName: take('${varSandboxCustomPolicies.libAssignment.name}${varSandboxCustomPolicies.version}', 24) + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: [] + parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs + parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentNonComplianceMessages: [] + parPolicyAssignmentNotScopes: [] + parTelemetryOptOut: true + } +} diff --git a/modules/compliance/customerPolicySetAssignments.bicep b/modules/compliance/customerPolicySetAssignments.bicep new file mode 100644 index 00000000..c0602ce0 --- /dev/null +++ b/modules/compliance/customerPolicySetAssignments.bicep @@ -0,0 +1,57 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : + -This module deploys customer configured policy set assignments to the root management group. + - Only policy set definition with no parameters or parameters with default values are supported for customer assignment. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string + +@description('Deployed policy set definition id ') +param parPolicySetDefinitionId string + +@description('Name for the policy set assignment') +@minLength(1) +param parPolicySetAssignmentName string + +@description('Display name for the policy set assignment') +param parPolicySetAssignmentDisplayName string + +@description('descritpion for the policy set assignment') +param parPolicySetAssignmentDescription string + +var varRootManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}' +var varRbacRoleDefinitionIds = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' +} + +// Module - Policy Assignments - Root Management Group +module modUserPolicyAssignment '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varRootManagementGroupId) + name: take('${parDeploymentPrefix}-polAssi-CustomerPolicySet-intRoot-${parPolicySetAssignmentName}${parDeploymentSuffix}', 64) + params: { + parPolicyAssignmentDefinitionId: parPolicySetDefinitionId + parPolicyAssignmentName: take('${parPolicySetAssignmentName}', 24) + parPolicyAssignmentDisplayName: parPolicySetAssignmentDisplayName + parPolicyAssignmentDescription: parPolicySetAssignmentDescription + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} diff --git a/modules/compliance/defaultCompliance.bicep b/modules/compliance/defaultCompliance.bicep new file mode 100644 index 00000000..4995d508 --- /dev/null +++ b/modules/compliance/defaultCompliance.bicep @@ -0,0 +1,500 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : This module deploys the policy assignments for the top level management group and the management groups that are children of the top level management group. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The top level management group name which is also the prefix used for resources') +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string + +@description('The Azure regions where resources are allowed to be deployed by policy.') +param parAllowedLocations array + +@description('Locations where confidential resources are available and allowed to be used by workloads.') +param parAllowedLocationsForConfidentialComputing array + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +@description('Effect type for all policy definitions') +param parPolicyEffect string = 'Deny' + +// **Variables** +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: parDeploymentPrefix + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: deployment().location +} + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRbacRoleDefinitionIds = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' +} + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootSlzDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-slzDefaults-intRoot-${parTimestamp}', 64) + modPolicyAssignmentPlatformDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-platformDefaults-${parTimestamp}', 64) + modPolicyAssignmentSandboxDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-sandboxDefaults-${parTimestamp}', 64) + modPolicyAssignmentDecommissionedDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-decomDefaults-${parTimestamp}', 64) + modPolicyAssignmentLandingZoneDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-landingZoneDefaults-${parTimestamp}', 64) + modPolicyAssignmentCorpDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-corpDefaults-${parTimestamp}', 64) + modPolicyAssignmentOnlineDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-onlineDefaults-${parTimestamp}', 64) + modPolicyAssignmentConfidentialCorpDefaults_Confidential: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confCorpDefaults_Confidential-${parTimestamp}', 64) + modPolicyAssignmentConfidentialCorpDefaults_Corp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confCorpDefaults_Corp-${parTimestamp}', 64) + modPolicyAssignmentConfidentialOnlineDefaults_Confidential: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confOnlineDefaults_Confidential-${parTimestamp}', 64) + modPolicyAssignmentConfidentialOnlineDefaults_Online: take('${varDeploymentNameWrappers.basePrefix}-polAssi-confOnlineDefaults_Online-${parTimestamp}', 64) + modPolicyAssignmentConnectivityDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-connectivityDefaults-${parTimestamp}', 64) + modPolicyAssignmentIdentityDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-identityDefaults-${parTimestamp}', 64) + modPolicyAssignmentManagementDefaults: take('${varDeploymentNameWrappers.basePrefix}-polAssi-managementDefaults-${parTimestamp}', 64) +} + +// Policy Assignments Modules Variables +var varSlzGlobalLibDef = loadJsonContent('policySetDefinitions/slzGlobalDefaults.json') +var varSlzGlobalDefaults = { + definitionID: replace('${varSlzGlobalLibDef.id}.v${varSlzGlobalLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignmnet_deploy_slz_global_defaults.tmpl.json') + libDefinition: varSlzGlobalLibDef + version: replace('v${varSlzGlobalLibDef.properties.metadata.version}', '.', '') +} + +var varSlzPlatformLibDef = loadJsonContent('policySetDefinitions/slzPlatformDefaults.json') +var varSlzPlatformDefaults = { + definitionID: replace('${varSlzPlatformLibDef.id}.v${varSlzPlatformLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_platform_defaults.tmpl.json') + libDefinition: varSlzPlatformLibDef + version: replace('v${varSlzPlatformLibDef.properties.metadata.version}', '.', '') +} + +var varSlzSandboxLibDef = loadJsonContent('policySetDefinitions/slzSandboxDefaults.json') +var varSlzSandboxDefaults = { + definitionID: replace('${varSlzSandboxLibDef.id}.v${varSlzSandboxLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_sandbox_defaults.tmpl.json') + libDefinition: varSlzSandboxLibDef + version: replace('v${varSlzSandboxLibDef.properties.metadata.version}', '.', '') +} + +var varSlzDecommissionedLibDef = loadJsonContent('policySetDefinitions/slzDecommissionedDefaults.json') +var varSlzDecommissionedDefaults = { + definitionID: replace('${varSlzDecommissionedLibDef.id}.v${varSlzDecommissionedLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_decommissioned_defaults.tmpl.json') + libDefinition: varSlzDecommissionedLibDef + version: replace('v${varSlzDecommissionedLibDef.properties.metadata.version}', '.', '') +} + +var varSlzLandingZoneLibDef = loadJsonContent('policySetDefinitions/slzLandingZoneDefaults.json') +var varSlzLandingZoneDefaults = { + definitionID: replace('${varSlzLandingZoneLibDef.id}.v${varSlzLandingZoneLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_landing_zones_defaults.tmpl.json') + libDefinition: varSlzLandingZoneLibDef + version: replace('v${varSlzLandingZoneLibDef.properties.metadata.version}', '.', '') +} + +var varSlzCorpLibDef = loadJsonContent('policySetDefinitions/slzCorpDefaults.json') +var varSlzCorpDefaults = { + definitionID: replace('${varSlzCorpLibDef.id}.v${varSlzCorpLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_corp_defaults.tmpl.json') + libDefinition: varSlzCorpLibDef + version: replace('v${varSlzCorpLibDef.properties.metadata.version}', '.', '') +} + +var varSlzOnlineLibDef = loadJsonContent('policySetDefinitions/slzOnlineDefaults.json') +var varSlzOnlineDefaults = { + definitionID: replace('${varSlzOnlineLibDef.id}.v${varSlzOnlineLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_online_defaults.tmpl.json') + libDefinition: varSlzOnlineLibDef + version: replace('v${varSlzOnlineLibDef.properties.metadata.version}', '.', '') +} + +var varSlzConfidentialLibDef = loadJsonContent('policySetDefinitions/slzConfidentialDefaults.json') +var varSlzConfidentialDefaults = { + definitionID: replace('${varSlzConfidentialLibDef.id}.v${varSlzConfidentialLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json') + libDefinition: varSlzConfidentialLibDef + version: replace('v${varSlzConfidentialLibDef.properties.metadata.version}', '.', '') +} + +var varSlzConnectivityLibDef = loadJsonContent('policySetDefinitions/slzConnectivityDefaults.json') +var varSlzConnectivityDefaults = { + definitionID: replace('${varSlzConnectivityLibDef.id}.v${varSlzConnectivityLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_connectivity_defaults.tmpl.json') + libDefinition: varSlzConnectivityLibDef + version: replace('v${varSlzConnectivityLibDef.properties.metadata.version}', '.', '') +} + +var varSlzIdentityLibDef = loadJsonContent('policySetDefinitions/slzIdentityDefaults.json') +var varSlzIdentityDefaults = { + definitionID: replace('${varSlzIdentityLibDef.id}.v${varSlzIdentityLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_identity_defaults.tmpl.json') + libDefinition: varSlzIdentityLibDef + version: replace('v${varSlzIdentityLibDef.properties.metadata.version}', '.', '') +} + +var varSlzManagementLibDef = loadJsonContent('policySetDefinitions/slzManagementDefaults.json') +var varSlzManagementDefaults = { + definitionID: replace('${varSlzManagementLibDef.id}.v${varSlzManagementLibDef.properties.metadata.version}', '\${varTargetManagementGroupResourceId}', varTopLevelManagementGroupResourceID) + libAssignment: loadJsonContent('policyAssignments/policy_assignment_deploy_slz_management_defaults.tmpl.json') + libDefinition: varSlzManagementLibDef + version: replace('v${varSlzManagementLibDef.properties.metadata.version}', '.', '') +} + +// Managment Groups Varaibles - Used For Policy Assignments +var varManagementGroupIDs = { + intRoot: '${parDeploymentPrefix}${parDeploymentSuffix}' + platform: '${parDeploymentPrefix}-platform${parDeploymentSuffix}' + platformManagement: '${parDeploymentPrefix}-platform-management${parDeploymentSuffix}' + platformConnectivity: '${parDeploymentPrefix}-platform-connectivity${parDeploymentSuffix}' + platformIdentity: '${parDeploymentPrefix}-platform-identity${parDeploymentSuffix}' + landingZones: '${parDeploymentPrefix}-landingzones${parDeploymentSuffix}' + landingZonesCorp: '${parDeploymentPrefix}-landingzones-corp${parDeploymentSuffix}' + landingZonesOnline: '${parDeploymentPrefix}-landingzones-online${parDeploymentSuffix}' + landingZonesConfidentialCorp: '${parDeploymentPrefix}-landingzones-confidential-corp${parDeploymentSuffix}' + landingZonesConfidentialOnline: '${parDeploymentPrefix}-landingzones-confidential-online${parDeploymentSuffix}' + decommissioned: '${parDeploymentPrefix}-decommissioned${parDeploymentSuffix}' + sandbox: '${parDeploymentPrefix}-sandbox${parDeploymentSuffix}' +} + +var varTopLevelManagementGroupResourceID = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIDs.intRoot}' + +// Module - Policy Assignments - Root Management Group +module modPolicyAssignmentSlzGlobalDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzGlobalDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootSlzDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzGlobalDefaults.definitionID + parPolicyAssignmentName: take('${varSlzGlobalDefaults.libAssignment.name}${varSlzGlobalDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzGlobalDefaults.libAssignment.properties.displayName} ${varSlzGlobalDefaults.version}' + parPolicyAssignmentDescription: '${varSlzGlobalDefaults.libAssignment.properties.description} ${varSlzGlobalDefaults.version}' + parPolicyAssignmentParameters: varSlzGlobalDefaults.libAssignment.properties.parameters + parPolicyAssignmentParameterOverrides: { + listOfAllowedLocations: { + value: parAllowedLocations + } + } + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Decommisioned Management Group +module modPolicyAssignmentSlzDecommissionedDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzDecommissionedDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.decommissioned) + name: varModuleDeploymentNames.modPolicyAssignmentDecommissionedDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzDecommissionedDefaults.definitionID + parPolicyAssignmentName: take('${varSlzDecommissionedDefaults.libAssignment.name}${varSlzDecommissionedDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzDecommissionedDefaults.libAssignment.properties.displayName} ${varSlzDecommissionedDefaults.version}' + parPolicyAssignmentDescription: '${varSlzDecommissionedDefaults.libAssignment.properties.description} ${varSlzDecommissionedDefaults.version}' + parPolicyAssignmentParameters: varSlzDecommissionedDefaults.libAssignment.properties.parameters + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Management Group +module modPolicyAssignmentSlzLandingZoneDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzLandingZoneDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLandingZoneDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzLandingZoneDefaults.definitionID + parPolicyAssignmentName: take('${varSlzLandingZoneDefaults.libAssignment.name}${varSlzLandingZoneDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzLandingZoneDefaults.libAssignment.properties.displayName} ${varSlzLandingZoneDefaults.version}' + parPolicyAssignmentDescription: '${varSlzLandingZoneDefaults.libAssignment.properties.description} ${varSlzLandingZoneDefaults.version}' + parPolicyAssignmentParameters: varSlzLandingZoneDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Confidential Corp Management Group +module modPolicyAssignmentSlzConfidentialCorpDefaults_Confidential '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzConfidentialDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialCorp) + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialCorpDefaults_Confidential + params: { + parPolicyAssignmentDefinitionId: varSlzConfidentialDefaults.definitionID + parPolicyAssignmentName: take('${varSlzConfidentialDefaults.libAssignment.name}${varSlzConfidentialDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzConfidentialDefaults.libAssignment.properties.displayName} ${varSlzConfidentialDefaults.version}' + parPolicyAssignmentDescription: '${varSlzConfidentialDefaults.libAssignment.properties.description} ${varSlzConfidentialDefaults.version}' + parPolicyAssignmentParameters: varSlzConfidentialDefaults.libAssignment.properties.parameters + parPolicyAssignmentParameterOverrides: { + listOfAllowedLocations: { + value: parAllowedLocationsForConfidentialComputing + } + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} +// Module - Policy Assignments - Landing Zone Confidential Corp Management Group +module modPolicyAssignmentSlzConfidentialCorpDefaults_Corp '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzCorpDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialCorp) + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialCorpDefaults_Corp + params: { + parPolicyAssignmentDefinitionId: varSlzCorpDefaults.definitionID + parPolicyAssignmentName: take('${varSlzCorpDefaults.libAssignment.name}${varSlzCorpDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzCorpDefaults.libAssignment.properties.displayName} ${varSlzCorpDefaults.version}' + parPolicyAssignmentDescription: '${varSlzCorpDefaults.libAssignment.properties.description} ${varSlzCorpDefaults.version}' + parPolicyAssignmentParameters: varSlzCorpDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Confidential Online Management Group +module modPolicyAssignmentSlzConfidentialOnlineDefaults_Confidential '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzConfidentialDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialOnline) + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialOnlineDefaults_Confidential + params: { + parPolicyAssignmentDefinitionId: varSlzConfidentialDefaults.definitionID + parPolicyAssignmentName: take('${varSlzConfidentialDefaults.libAssignment.name}${varSlzConfidentialDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzConfidentialDefaults.libAssignment.properties.displayName} ${varSlzConfidentialDefaults.version}' + parPolicyAssignmentDescription: '${varSlzConfidentialDefaults.libAssignment.properties.description} ${varSlzConfidentialDefaults.version}' + parPolicyAssignmentParameters: varSlzConfidentialDefaults.libAssignment.properties.parameters + parPolicyAssignmentParameterOverrides: { + listOfAllowedLocations: { + value: parAllowedLocationsForConfidentialComputing + } + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Confidential Online Management Group +module modPolicyAssignmentSlzConfidentialOnlineDefaults_Online '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzOnlineDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZonesConfidentialOnline) + name: varModuleDeploymentNames.modPolicyAssignmentConfidentialOnlineDefaults_Online + params: { + parPolicyAssignmentDefinitionId: varSlzOnlineDefaults.definitionID + parPolicyAssignmentName: take('${varSlzOnlineDefaults.libAssignment.name}${varSlzOnlineDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzOnlineDefaults.libAssignment.properties.displayName} ${varSlzOnlineDefaults.version}' + parPolicyAssignmentDescription: '${varSlzOnlineDefaults.libAssignment.properties.description} ${varSlzOnlineDefaults.version}' + parPolicyAssignmentParameters: varSlzOnlineDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Corp Management Group +module modPolicyAssignmentSlzCorpDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzCorpDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentCorpDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzCorpDefaults.definitionID + parPolicyAssignmentName: take('${varSlzCorpDefaults.libAssignment.name}${varSlzCorpDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzCorpDefaults.libAssignment.properties.displayName} ${varSlzCorpDefaults.version}' + parPolicyAssignmentDescription: '${varSlzCorpDefaults.libAssignment.properties.description} ${varSlzCorpDefaults.version}' + parPolicyAssignmentParameters: varSlzCorpDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Landing Zone Online Management Group +module modPolicyAssignmentSlzOnlineDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzOnlineDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.landingZonesOnline) + name: varModuleDeploymentNames.modPolicyAssignmentOnlineDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzOnlineDefaults.definitionID + parPolicyAssignmentName: take('${varSlzOnlineDefaults.libAssignment.name}${varSlzOnlineDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzOnlineDefaults.libAssignment.properties.displayName} ${varSlzOnlineDefaults.version}' + parPolicyAssignmentDescription: '${varSlzOnlineDefaults.libAssignment.properties.description} ${varSlzOnlineDefaults.version}' + parPolicyAssignmentParameters: varSlzOnlineDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Management Group +module modPolicyAssignmentSlzPlatformDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzPlatformDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.platform) + name: varModuleDeploymentNames.modPolicyAssignmentPlatformDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzPlatformDefaults.definitionID + parPolicyAssignmentName: take('${varSlzPlatformDefaults.libAssignment.name}${varSlzPlatformDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzPlatformDefaults.libAssignment.properties.displayName} ${varSlzPlatformDefaults.version}' + parPolicyAssignmentDescription: '${varSlzPlatformDefaults.libAssignment.properties.description} ${varSlzPlatformDefaults.version}' + parPolicyAssignmentParameters: varSlzPlatformDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Connectivity Management Group +module modPolicyAssignmentSlzConnectivityDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzConnectivityDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnectivityDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzConnectivityDefaults.definitionID + parPolicyAssignmentName: take('${varSlzConnectivityDefaults.libAssignment.name}${varSlzConnectivityDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzConnectivityDefaults.libAssignment.properties.displayName} ${varSlzConnectivityDefaults.version}' + parPolicyAssignmentDescription: '${varSlzConnectivityDefaults.libAssignment.properties.description} ${varSlzConnectivityDefaults.version}' + parPolicyAssignmentParameters: varSlzConnectivityDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentEnforcementMode: 'Default' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Identity Management Group +module modPolicyAssignmentIdentityDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzIdentityDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentityDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzIdentityDefaults.definitionID + parPolicyAssignmentName: take('${varSlzIdentityDefaults.libAssignment.name}${varSlzIdentityDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzIdentityDefaults.libAssignment.properties.displayName} ${varSlzIdentityDefaults.version}' + parPolicyAssignmentDescription: '${varSlzIdentityDefaults.libAssignment.properties.description} ${varSlzIdentityDefaults.version}' + parPolicyAssignmentParameters: varSlzIdentityDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Platform Management Management Group +module modPolicyAssignmentSlzManagementDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzManagementDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentManagementDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzManagementDefaults.definitionID + parPolicyAssignmentName: take('${varSlzManagementDefaults.libAssignment.name}${varSlzManagementDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzManagementDefaults.libAssignment.properties.displayName} ${varSlzManagementDefaults.version}' + parPolicyAssignmentDescription: '${varSlzManagementDefaults.libAssignment.properties.description} ${varSlzManagementDefaults.version}' + parPolicyAssignmentParameters: varSlzManagementDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +// Module - Policy Assignments - Sandbox Management Group +module modPolicyAssignmentSlzSandboxDefaults '../../dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varSlzSandboxDefaults.libDefinition.properties.policyDefinitions)) { + scope: managementGroup(varManagementGroupIDs.sandbox) + name: varModuleDeploymentNames.modPolicyAssignmentSandboxDefaults + params: { + parPolicyAssignmentDefinitionId: varSlzSandboxDefaults.definitionID + parPolicyAssignmentName: take('${varSlzSandboxDefaults.libAssignment.name}${varSlzSandboxDefaults.version}', 24) + parPolicyAssignmentDisplayName: '${varSlzSandboxDefaults.libAssignment.properties.displayName} ${varSlzSandboxDefaults.version}' + parPolicyAssignmentDescription: '${varSlzSandboxDefaults.libAssignment.properties.description} ${varSlzSandboxDefaults.version}' + parPolicyAssignmentParameters: varSlzSandboxDefaults.libAssignment.properties.parameters + parPolicyAssignmentIdentityType: 'SystemAssigned' + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentParameterOverrides: { + effect: { + value: parPolicyEffect + } + } + parPolicyAssignmentEnforcementMode: 'Default' + parTelemetryOptOut: true + } +} + +output outSlzGlobalVersion string = varSlzGlobalDefaults.version +output outSlzGlobalAssignmentName string = take('${varSlzGlobalDefaults.libAssignment.name}${varSlzGlobalDefaults.version}', 24) diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json new file mode 100644 index 00000000..f7461d8c --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json @@ -0,0 +1,274 @@ +{ + "name": "Deploy-SLZ-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Confidential Policies", + "displayName": "SLZ Confidential Policies", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [] + }, + "Resource Types": { + "value": [ + "Microsoft.Attestation/attestationProviders", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/disks", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.Compute/images", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/operations", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/applications", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/snapshots", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedClusters/agentPools", + "Microsoft.HardwareSecurityModules/dedicatedHSMs", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/locations/operationResults", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.KeyVault/hsmPools", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/managedHSMs/privateEndpointConnections", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.KeyVault/vaults/privateEndpointConnections", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/subnets", + "Microsoft.Resources/deployments", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/auditingPolicies", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingPolicies", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/extendedAuditingSettings", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/firewallRules", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/sqlVulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments" + ] + }, + "Virtual Machine SKUs": { + "value": [ + "Standard_DC1s_v2", + "Standard_DC2s_v2", + "Standard_DC4s_v2", + "Standard_DC8_v2", + "Standard_DC1s_v3", + "Standard_DC2s_v3", + "Standard_DC4s_v3", + "Standard_DC8s_v3", + "Standard_DC16s_v3", + "Standard_DC24s_v3", + "Standard_DC32s_v3", + "Standard_DC48s_v3", + "Standard_DC1ds_v3", + "Standard_DC2ds_v3", + "Standard_DC4ds_v3", + "Standard_DC8ds_v3", + "Standard_DC16ds_v3", + "Standard_DC24ds_v3", + "Standard_DC32ds_v3", + "Standard_DC48ds_v3", + "Standard_DC2ads_v5", + "Standard_DC2as_v5", + "Standard_DC4ads_v5", + "Standard_DC4as_v5", + "Standard_DC8ads_v5", + "Standard_DC8as_v5", + "Standard_DC16ads_v5", + "Standard_DC16as_v5", + "Standard_DC32ads_v5", + "Standard_DC32as_v5", + "Standard_DC48ads_v5", + "Standard_DC48as_v5", + "Standard_DC64ads_v5", + "Standard_DC64as_v5", + "Standard_DC96ads_v5", + "Standard_DC96as_v5", + "Standard_EC2ads_v5", + "Standard_EC2as_v5", + "Standard_EC4ads_v5", + "Standard_EC4as_v5", + "Standard_EC8ads_v5", + "Standard_EC8as_v5", + "Standard_EC16ads_v5", + "Standard_EC16as_v5", + "Standard_EC20ads_v5", + "Standard_EC20as_v5", + "Standard_EC32ads_v5", + "Standard_EC32as_v5", + "Standard_EC48ads_v5", + "Standard_EC48as_v5", + "Standard_EC64ads_v5", + "Standard_EC64as_v5", + "Standard_EC96ads_v5", + "Standard_EC96as_v5", + "Standard_EC96iads_v5", + "Standard_EC96ias_v5" + ] + } + }, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConfidentialPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_connectivity_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_connectivity_defaults.tmpl.json new file mode 100644 index 00000000..b06743c1 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_connectivity_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Connectivity", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Connectivity Policies", + "displayName": "SLZ Connectivity Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConnectivityPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_corp_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_corp_defaults.tmpl.json new file mode 100644 index 00000000..d200a167 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_corp_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Corp", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Corp Policies", + "displayName": "SLZ Corp Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzCorpPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_decommissioned_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_decommissioned_defaults.tmpl.json new file mode 100644 index 00000000..eaddbff0 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_decommissioned_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Decom-Deployment", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Decommissioned Policies", + "displayName": "SLZ Decommissioned Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzDecommissionedPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_identity_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_identity_defaults.tmpl.json new file mode 100644 index 00000000..ecac01bc --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_identity_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Identity", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Identity Policies", + "displayName": "SLZ Identity Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzIdentityPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_landing_zones_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_landing_zones_defaults.tmpl.json new file mode 100644 index 00000000..a0d56c36 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_landing_zones_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-LZs", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Landing Zones Policies", + "displayName": "SLZ Landing Zones Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzLandingZonesPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_management_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_management_defaults.tmpl.json new file mode 100644 index 00000000..d96fb3f7 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_management_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Management", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Management Policies", + "displayName": "SLZ Management Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzManagementPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_online_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_online_defaults.tmpl.json new file mode 100644 index 00000000..a6a607e6 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_online_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Online", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Online Policies", + "displayName": "SLZ Online Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}uthorization/policySetDefinitions/SlzGlobalPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_platform_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_platform_defaults.tmpl.json new file mode 100644 index 00000000..e8da5693 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_platform_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Plat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Platform Policies", + "displayName": "SLZ Platform Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzPlatformPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignment_deploy_slz_sandbox_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_sandbox_defaults.tmpl.json new file mode 100644 index 00000000..2321d3fa --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignment_deploy_slz_sandbox_defaults.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SLZ-Sand", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Sandbox Policies", + "displayName": "SLZ Sandbox Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzSandboxPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyAssignments/policy_assignmnet_deploy_slz_global_defaults.tmpl.json b/modules/compliance/policyAssignments/policy_assignmnet_deploy_slz_global_defaults.tmpl.json new file mode 100644 index 00000000..af6c1861 --- /dev/null +++ b/modules/compliance/policyAssignments/policy_assignmnet_deploy_slz_global_defaults.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SLZ-Root", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Global Policies", + "displayName": "SLZ Global Policies", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [] + } + }, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzGlobalPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/modules/compliance/policyExemptions.bicep b/modules/compliance/policyExemptions.bicep new file mode 100644 index 00000000..59860f0c --- /dev/null +++ b/modules/compliance/policyExemptions.bicep @@ -0,0 +1,55 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Creates a Policy Exemption for a Policy Assignment in a Management Group + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('Policy Assignment Name') +param parPolicyAssignmentName string + +@description('Policy Assignment Scope Name') +param parPolicyAssignmentScopeName string + +@description('SLZ Policy Set Assignment id') +param parPolicyAssignmentId string = '/providers/microsoft.management/managementgroups/${parPolicyAssignmentScopeName}/providers/microsoft.authorization/policyassignments/${parPolicyAssignmentName}' + +@allowed([ + 'Waiver' + 'Mitigated' +]) +@description('Exemption Category Default - Waiver') +param parExemptionCategory string = 'Waiver' + +@description('Description') +param parDescription string + +@allowed([ + 'Default' + 'DoNotValidate' +]) +@description('Assignment Scope') +param parAssignmentScopeValidation string = 'Default' + +@description('Reference ids of Policies to be exempted') +param parPolicyDefinitionReferenceIds array + +@description('Exemption Name') +param parExemptionName string + +@description('Exemption Display Name') +param parExemptionDisplayName string + +// Create Policy Exemption +resource resPolicyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { + name: parExemptionName + properties: { + assignmentScopeValidation: parAssignmentScopeValidation + description: parDescription + displayName: parExemptionDisplayName + exemptionCategory: parExemptionCategory + policyAssignmentId: parPolicyAssignmentId + policyDefinitionReferenceIds: parPolicyDefinitionReferenceIds + } +} diff --git a/modules/compliance/policyRemediation.bicep b/modules/compliance/policyRemediation.bicep new file mode 100644 index 00000000..bfcd8c9b --- /dev/null +++ b/modules/compliance/policyRemediation.bicep @@ -0,0 +1,42 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Creates a Policy Remediation for a Policy Set Assignment or a Policy Assignment in a Management Group + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('Exemption Name') +param parPolicyRemediationName string + +@description('Policy Set Assignment id') +param parPolicyAssignmentId string + +@description('Reference ids of Policy to be remediated') +param parPolicyDefinitionReferenceId string + +@allowed([ + 'ExistingNonCompliant' + 'ReEvaluateCompliance' +]) +@description('Remediation Discovery Mode - ExistingNonCompliant') +param parResourceDiscoveryMode string = 'ExistingNonCompliant' + +// Policy Remediation for Policy Set Assignment +resource resPolicySetRemediation 'Microsoft.PolicyInsights/remediations@2021-10-01' = if (parPolicyDefinitionReferenceId != null) { + name: take('${parPolicyRemediationName}-${parPolicyDefinitionReferenceId}', 64) + properties: { + policyAssignmentId: parPolicyAssignmentId + policyDefinitionReferenceId: parPolicyDefinitionReferenceId + resourceDiscoveryMode: parResourceDiscoveryMode + } +} + +// Policy Remediation for Policy Assignment +resource resPolicyRemediation 'Microsoft.PolicyInsights/remediations@2021-10-01' = if (parPolicyDefinitionReferenceId == null) { + name: parPolicyRemediationName + properties: { + policyAssignmentId: parPolicyAssignmentId + resourceDiscoveryMode: parResourceDiscoveryMode + } +} diff --git a/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json b/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json new file mode 100644 index 00000000..8c9c51e9 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json @@ -0,0 +1,309 @@ +{ + "properties": { + "displayName": "SLZ Confidential Policies", + "policyType": "Custom", + "description": "Policies to enforce confidential computing", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": { + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Execution of the policy" + }, + "allowedValues": ["Audit", "Deny", "Disabled", "AuditIfNotExists"], + "defaultValue": "Deny" + }, + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "asia", + "asiapacific", + "australia", + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazil", + "brazilsouth", + "brazilsoutheast", + "canada", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centraluseuap", + "centralusstage", + "eastasia", + "eastasiastage", + "eastus", + "eastus2", + "eastus2euap", + "eastus2stage", + "eastusstage", + "eastusstg", + "europe", + "france", + "francecentral", + "francesouth", + "germany", + "germanynorth", + "germanywestcentral", + "global", + "india", + "japan", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "korea", + "koreacentral", + "koreasouth", + "northcentralus", + "northcentralusstage", + "northeurope", + "norway", + "norwayeast", + "norwaywest", + "qatarcentral", + "singapore", + "southafrica", + "southafricanorth", + "southafricawest", + "southcentralus", + "southcentralusstage", + "southcentralusstg", + "southeastasia", + "southeastasiastage", + "southindia", + "swedencentral", + "switzerland", + "switzerlandnorth", + "switzerlandwest", + "uae", + "uaecentral", + "uaenorth", + "uk", + "uksouth", + "ukwest", + "unitedstates", + "unitedstateseuap", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus2stage", + "westus3", + "westusstage" + ], + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying resources", + "strongType": "location" + } + }, + "Resource Types": { + "type": "array", + "metadata": { + "displayName": "Resource Types", + "description": null, + "strongType": "resourceTypes" + }, + "defaultValue": [] + }, + "Virtual Machine SKUs": { + "type": "array", + "metadata": { + "displayName": "Virtual Machine SKUs", + "strongType": "vmSKUs" + }, + "defaultValue": [] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AllowedLocationsForResourceGroups", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "parameters": { + "listOfAllowedLocations": { + "value": "[[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": ["dashboard-Data Residency"] + }, + { + "policyDefinitionReferenceId": "AllowedLocations", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "parameters": { + "listOfAllowedLocations": { + "value": "[[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": ["dashboard-Data Residency"] + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB allowed locations_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684", + "parameters": { + "listOfAllowedLocations": { + "value": "[[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": ["dashboard-Data Residency"] + }, + { + "policyDefinitionReferenceId": "[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup dat_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Managed disks should be double encrypted with both platform-managed and customer-managed keys_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by cu_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "SQL servers should use customer-managed keys to encrypt data at rest_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "PostgreSQL servers should use customer-managed keys to encrypt data at rest_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": {}, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "MySQL servers should use customer-managed keys to encrypt data at rest_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": {}, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "SQL managed instances should use customer-managed keys to encrypt data at rest_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Storage accounts should use customer-managed key for encryption_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": {}, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Table Storage should use customer-managed key for encryption_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "HPC Cache accounts should use customer-managed key for encryption_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Storage account encryption scopes should use customer-managed keys to encrypt data at rest_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Queue Storage should use customer-managed key for encryption_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": ["dashboard-Key Management"] + }, + { + "policyDefinitionReferenceId": "Allowed resource types", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('Resource Types')]" + } + }, + "groupNames": ["dashboard-Confidential Computing"] + }, + { + "policyDefinitionReferenceId": "Allowed virtual machine size SKUs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3", + "parameters": { + "listOfAllowedSKUs": { + "value": "[[parameters('Virtual Machine SKUs')]" + } + }, + "groupNames": ["dashboard-Confidential Computing"] + } + ], + "policyDefinitionGroups": [ + { + "name": "dashboard-Data Residency", + "category": "Residency", + "description": "Control where regional Azure resources are deployed and used" + }, + { + "name": "dashboard-Key Management", + "category": "Encryption", + "description": "Customer should have control of keys used for encryption and decryption while also using best practices for key strength and security." + }, + { + "name": "dashboard-Confidential Computing", + "category": "Encryption", + "description": "Confidential workloads should be protected from unauthorized access while data is in use." + } + ] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConfidentialPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzConfidentialPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzConnectivityDefaults.json b/modules/compliance/policySetDefinitions/slzConnectivityDefaults.json new file mode 100644 index 00000000..0910980b --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzConnectivityDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Connectivity Policies", + "description": "SLZ Connectivity Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConnectivityPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzConnectivityPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzCorpDefaults.json b/modules/compliance/policySetDefinitions/slzCorpDefaults.json new file mode 100644 index 00000000..f5182c64 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzCorpDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Corp Policies", + "description": "SLZ Corp Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzCorpPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzCorpPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzDecommissionedDefaults.json b/modules/compliance/policySetDefinitions/slzDecommissionedDefaults.json new file mode 100644 index 00000000..d267f6f5 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzDecommissionedDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Decommissioned Policies", + "description": "SLZ Decommissioned Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzDecommissionedPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzDecommissionedPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzGlobalDefaults.json b/modules/compliance/policySetDefinitions/slzGlobalDefaults.json new file mode 100644 index 00000000..302537fd --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzGlobalDefaults.json @@ -0,0 +1,151 @@ +{ + "properties": { + "displayName": "SLZ Global Policies", + "policyType": "Custom", + "description": "Default Sovereign Landing Zone (SLZ) policies", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": { + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [], + "allowedValues": [ + "asia", + "asiapacific", + "australia", + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazil", + "brazilsouth", + "brazilsoutheast", + "canada", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centraluseuap", + "centralusstage", + "eastasia", + "eastasiastage", + "eastus", + "eastus2", + "eastus2euap", + "eastus2stage", + "eastusstage", + "eastusstg", + "europe", + "france", + "francecentral", + "francesouth", + "germany", + "germanynorth", + "germanywestcentral", + "global", + "india", + "japan", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "korea", + "koreacentral", + "koreasouth", + "northcentralus", + "northcentralusstage", + "northeurope", + "norway", + "norwayeast", + "norwaywest", + "qatarcentral", + "singapore", + "southafrica", + "southafricanorth", + "southafricawest", + "southcentralus", + "southcentralusstage", + "southcentralusstg", + "southeastasia", + "southeastasiastage", + "southindia", + "swedencentral", + "switzerland", + "switzerlandnorth", + "switzerlandwest", + "uae", + "uaecentral", + "uaenorth", + "uk", + "uksouth", + "ukwest", + "unitedstates", + "unitedstateseuap", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus2stage", + "westus3", + "westusstage" + ], + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying resources", + "strongType": "location" + } + } + }, + "policyDefinitionGroups": [ + { + "name": "dashboard-Data Residency", + "category": "Residency", + "description": "Control where regional Azure resources are deployed and used" + } + ], + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AllowedLocationsForResourceGroups", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "parameters": { + "listOfAllowedLocations": { + "value": "[[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": [ + "dashboard-Data Residency" + ] + }, + { + "policyDefinitionReferenceId": "AllowedLocations", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "parameters": { + "listOfAllowedLocations": { + "value": "[[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": [ + "dashboard-Data Residency" + ] + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB allowed locations_1", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684", + "parameters": { + "listOfAllowedLocations": { + "value": "[[parameters('listOfAllowedLocations')]" + } + }, + "groupNames": [ + "dashboard-Data Residency" + ] + } + ] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzGlobalPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzGlobalPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzIdentityDefaults.json b/modules/compliance/policySetDefinitions/slzIdentityDefaults.json new file mode 100644 index 00000000..c12d1690 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzIdentityDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Identity Policies", + "description": "SLZ Identity Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzIdentityPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzIdentityPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzLandingZoneDefaults.json b/modules/compliance/policySetDefinitions/slzLandingZoneDefaults.json new file mode 100644 index 00000000..f4397eb8 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzLandingZoneDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Landing Zone Policies", + "description": "SLZ Landing Zone Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzLandingZonesPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzLandingZonesPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzManagementDefaults.json b/modules/compliance/policySetDefinitions/slzManagementDefaults.json new file mode 100644 index 00000000..ed217d81 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzManagementDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Management Policies", + "description": "SLZ Management Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzManagementPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzManagementPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzOnlineDefaults.json b/modules/compliance/policySetDefinitions/slzOnlineDefaults.json new file mode 100644 index 00000000..d0360efe --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzOnlineDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Online Policies", + "description": "SLZ Online Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzOnlinePolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzOnlinePolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzPlatformDefaults.json b/modules/compliance/policySetDefinitions/slzPlatformDefaults.json new file mode 100644 index 00000000..724594a6 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzPlatformDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Platform Policies", + "description": "SLZ Platform Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzPlatformPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzPlatformPolicies" +} diff --git a/modules/compliance/policySetDefinitions/slzSandboxDefaults.json b/modules/compliance/policySetDefinitions/slzSandboxDefaults.json new file mode 100644 index 00000000..cc153d76 --- /dev/null +++ b/modules/compliance/policySetDefinitions/slzSandboxDefaults.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Sandbox Policies", + "description": "SLZ Sandbox Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzSandboxPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzSandboxPolicies" +} diff --git a/modules/customRoles/customRoleAssignment.bicep b/modules/customRoles/customRoleAssignment.bicep new file mode 100644 index 00000000..671daeee --- /dev/null +++ b/modules/customRoles/customRoleAssignment.bicep @@ -0,0 +1,37 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Creates a role assignment at the management group scope + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('Role Definition Id') +param parRoleDefinitionId string + +@description('Principal Id of resource for role assignment') +param parPrincipalId string + +@description('Service principal type') +@allowed([ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' +]) +param parPrincipalType string + +@description('A GUID representing the role assignment name. Default: guid(managementGroup().name, parRoleDefinitionId, parPrincipalId)') +var varRoleAssignmentName = guid(managementGroup().name, parRoleDefinitionId, parPrincipalId) + +// Create role assignment +resource resRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + scope: managementGroup() + name: varRoleAssignmentName + properties: { + roleDefinitionId: parRoleDefinitionId + principalId: parPrincipalId + principalType: parPrincipalType + } +} diff --git a/modules/customRoles/customRoleDefinition.bicep b/modules/customRoles/customRoleDefinition.bicep new file mode 100644 index 00000000..112c4613 --- /dev/null +++ b/modules/customRoles/customRoleDefinition.bicep @@ -0,0 +1,42 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Creates a custom role definition at the management group scope + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('Array of actions for the roleDefinition') +param parActions array = [] + +@description('Array of notActions for the roleDefinition') +param parNotActions array = [] + +@description('Friendly name of the role definition') +param parRoleName string + +@description('Detailed description of the role definition') +param parRoleDescription string + +var varRoleDefName = guid(managementGroup().id, parRoleName) + +// Create the role definition +resource resRoleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: varRoleDefName + properties: { + roleName: parRoleName + description: parRoleDescription + type: 'customRole' + permissions: [ + { + actions: parActions + notActions: parNotActions + } + ] + assignableScopes: [ + managementGroup().id + ] + } +} + +output outRoleDefinitionId string = resRoleDef.id diff --git a/modules/dashboard/dashboard.bicep b/modules/dashboard/dashboard.bicep new file mode 100644 index 00000000..a1dc500d --- /dev/null +++ b/modules/dashboard/dashboard.bicep @@ -0,0 +1,942 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : This template deploys a dashboard with all the compliance tiles for the SLZ + AUTHOR/S: Cloud for Sovereignty +*/ +@description('The name of the Dashboard') +param parDashboardName string + +@description('The deployment location.') +param parLocation string + +@description('The name of the country or agency SLZ is being deployed for. DEFAULT: Country') +param parCountryOrAgencyName string + +@description('The prefix that will be added to all resources created by this deployment. E.g. mcfs') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('Tags to be added to deployed resources') +param parTags object + +// Header +var varMarkdownHeaderText = loadTextContent('./templates/markdownPart.md') + +// Load Query from Text Files +var varResourceComplianceScoreText = loadTextContent('./templates/resourceComplianceScore.csl') +var varResourcesbyComplianceStateText = loadTextContent('./templates/resourcesbyComplianceState.csl') +var varCompliancebySubscriptionText = loadTextContent('./templates/compliancebySubscription.csl') +var varCompliancebyPolicyInitiativeText = loadTextContent('./templates/compliancebyPolicyInitiative.csl') +var varListofNonCompliantResourcesText = loadTextContent('./templates/listofNonCompliantResources.csl') +var varResourcesOutsideofSafeRegionText = loadTextContent('./templates/resourcesOutsideofSafeRegion.csl') +var varListofResourcesExemptofDataResidentPolicyText = loadTextContent('./templates/listofResourcesExemptofDataResidentPolicy.csl') +var varListofResourcesOutsideofSafeRegionText = loadTextContent('./templates/listofResourcesOutsideofSafeRegion.csl') +var varConfidentialityScoreText = loadTextContent('./templates/confidentialityScore.csl') +var varDataResidencyScoreText = loadTextContent('./templates/dataResidencyScore.csl') +var varListOfResourcesExemptOfConfidentialPoliciesText = loadTextContent('./templates/listOfResourcesExemptOfConfidentialPolicies.csl') +var varComplianceByPolicyGroupText = loadTextContent('./templates/complianceByPolicyGroup.csl') +var varComplianceScoreForStoragePolicyGroupText = loadTextContent('./templates/complianceScoreForStoragePolicyGroup.csl') +var varComplianceScoreForTransportPolicyGroupText = loadTextContent('./templates/complianceScoreForTransportPolicyGroup.csl') +var varComplianceScoreForConfidentialComputingPolicyGroupText = loadTextContent('./templates/complianceScoreForConfidentialComputingPolicyGroup.csl') + +// Queries +var varResourceComplianceScoreQuery = replace(varResourceComplianceScoreText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varResourcesbyComplianceStateQuery = replace(varResourcesbyComplianceStateText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varCompliancebyPolicyInitiativeQuery = replace(varCompliancebyPolicyInitiativeText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varCompliancebySubscriptionQuery = replace(varCompliancebySubscriptionText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varListofNonCompliantResourcesQuery = replace(varListofNonCompliantResourcesText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varResourcesOutsideofSafeRegionQuery = replace(varResourcesOutsideofSafeRegionText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varListofResourcesExemptofDataResidentPolicyQuery = replace(varListofResourcesExemptofDataResidentPolicyText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varListofResourcesOutsideofSafeRegionQuery = replace(varListofResourcesOutsideofSafeRegionText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varConfidentialityScoreQuery = replace(varConfidentialityScoreText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varDataResidencyScoreQuery = replace(varDataResidencyScoreText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varListOfResourcesExemptOfConfidentialPoliciesQuery = replace(varListOfResourcesExemptOfConfidentialPoliciesText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varComplianceByPolicyGroupQuery = replace(varComplianceByPolicyGroupText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varComplianceScoreForStoragePolicyGroupQuery = replace(varComplianceScoreForStoragePolicyGroupText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varComplianceScoreForTransportPolicyGroupQuery = replace(varComplianceScoreForTransportPolicyGroupText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) +var varComplianceScoreForConfidentialComputingPolicyGroupQuery = replace(varComplianceScoreForConfidentialComputingPolicyGroupText, 'RootPrefix_PLACEHOLDER', parDeploymentPrefix) + +var varDefaultTitles = [ + { + position: { + x: 0 + y: 0 + colSpan: 8 + rowSpan: 2 + } + metadata: { + inputs: [] + type: 'Extension/HubsExtension/PartType/MarkdownPart' + settings: { + content: { + settings: { + content: varMarkdownHeaderText + title: 'Sovereign landing zone dashboard for ${parDeploymentPrefix}' + subtitle: parCountryOrAgencyName + markdownSource: 1 + markdownUri: null + } + } + } + partHeader: {} + } + } + { + position: { + x: 8 + y: 0 + colSpan: 8 + rowSpan: 2 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Overall resources compliance score' + isOptional: true + } + { + name: 'query' + value: varResourceComplianceScoreQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQuerySingleValueTile' + settings: {} + partHeader: { + title: 'Overall resources compliance score' + subtitle: 'Percent of resources compliant with all policies in the SLZ' + } + } + } + { + position: { + x: 0 + y: 2 + colSpan: 8 + rowSpan: 2 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Overall data residency compliance score' + isOptional: true + } + { + name: 'query' + value: varDataResidencyScoreQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQuerySingleValueTile' + settings: {} + partHeader: { + title: 'Overall data residency compliance score' + subtitle: 'Percent of resources compliant with data residency policies in the SLZ' + } + } + } + { + position: { + x: 8 + y: 2 + colSpan: 8 + rowSpan: 2 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Overall confidential compliance score' + isOptional: true + } + { + name: 'query' + value: varConfidentialityScoreQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQuerySingleValueTile' + settings: {} + partHeader: { + title: 'Overall confidential compliance score' + subtitle: 'Percent of resources compliant with encryption and confidential computing policies in the SLZ' + } + } + } + { + position: { + x: 0 + y: 4 + colSpan: 16 + rowSpan: 1 + } + metadata: { + inputs: [] + type: 'Extension/HubsExtension/PartType/MarkdownPart' + settings: { + content: { + settings: { + content: '' + title: 'Policy compliance' + subtitle: '' + markdownSource: 1 + markdownUri: null + } + } + } + partHeader: {} + } + } + { + position: { + x: 0 + y: 5 + colSpan: 6 + rowSpan: 8 + } + metadata: { + inputs: [ + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resource compliance by state' + isOptional: true + } + { + name: 'query' + value: varResourcesbyComplianceStateQuery + isOptional: true + } + { + name: 'chartType' + value: 2 + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryChartTile' + settings: {} + partHeader: { + title: 'Resource compliance by state' + subtitle: 'Hover over bar to see percent of resources in each state' + } + } + } + { + position: { + x: 6 + y: 5 + colSpan: 10 + rowSpan: 4 + } + metadata: { + inputs: [ + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resource compliance percentage by subscription' + isOptional: true + } + { + name: 'query' + value: varCompliancebySubscriptionQuery + isOptional: true + } + { + name: 'chartType' + value: 1 + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryChartTile' + settings: {} + partHeader: { + title: 'Resource compliance percentage by subscription' + subtitle: 'Hover over bar to see subscription name and its compliance percentage' + } + } + } + { + position: { + x: 6 + y: 9 + colSpan: 10 + rowSpan: 4 + } + metadata: { + inputs: [ + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resource compliance percentage by policy initiative' + isOptional: true + } + { + name: 'query' + value: varCompliancebyPolicyInitiativeQuery + isOptional: true + } + { + name: 'chartType' + value: 1 + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryChartTile' + settings: {} + partHeader: { + title: 'Resource compliance percentage by policy initiative' + subtitle: 'Hover over bar to see policy initiative name and its compliance percentage' + } + } + } + { + position: { + x: 0 + y: 13 + colSpan: 16 + rowSpan: 4 + } + metadata: { + inputs: [ + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resources compliance percentage by policy group name' + isOptional: true + } + { + name: 'query' + value: varComplianceByPolicyGroupQuery + isOptional: true + } + { + name: 'chartType' + value: 1 + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryChartTile' + settings: {} + partHeader: { + title: 'Resource compliance percentage by policy group name' + subtitle: 'Hover over bar to see policy group name and its compliance percentage' + } + } + } + { + position: { + x: 0 + y: 17 + colSpan: 16 + rowSpan: 5 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Non-Compliant and exempt resources' + isOptional: true + } + { + name: 'query' + value: varListofNonCompliantResourcesQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryGridTile' + settings: {} + partHeader: { + title: 'Non-Compliant and exempt resources' + subtitle: 'List of non-compliant and exempt resources for all policies in the SLZ' + } + } + } + { + position: { + x: 0 + y: 22 + colSpan: 16 + rowSpan: 1 + } + metadata: { + inputs: [] + type: 'Extension/HubsExtension/PartType/MarkdownPart' + settings: { + content: { + settings: { + content: '' + title: 'Data residency compliance' + subtitle: '' + markdownSource: 1 + markdownUri: null + } + } + } + partHeader: {} + } + } + { + position: { + x: 0 + y: 23 + colSpan: 5 + rowSpan: 5 + } + metadata: { + inputs: [ + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Non-compliant resources by location' + isOptional: true + } + { + name: 'query' + value: varResourcesOutsideofSafeRegionQuery + isOptional: true + } + { + name: 'chartType' + value: 1 + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryChartTile' + settings: {} + partHeader: { + title: 'Non-Compliant resources by location' + subtitle: 'These resources are in non-compliant locations per the data residency policy' + } + } + } + { + position: { + x: 5 + y: 23 + colSpan: 11 + rowSpan: 5 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resources exempt from data residency policies' + isOptional: true + } + { + name: 'query' + value: varListofResourcesExemptofDataResidentPolicyQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryGridTile' + settings: {} + partHeader: { + title: 'Resources exempt from data residency policies' + subtitle: 'These resources are exempt from data residency policies' + } + } + } + { + position: { + x: 0 + y: 28 + colSpan: 16 + rowSpan: 5 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resources outside of approved regions' + isOptional: true + } + { + name: 'query' + value: varListofResourcesOutsideofSafeRegionQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryGridTile' + settings: {} + partHeader: { + title: 'Resources outside of approved regions' + subtitle: 'These are the resources deployed outside of an approved region' + } + } + } + { + position: { + x: 0 + y: 33 + colSpan: 16 + rowSpan: 1 + } + metadata: { + inputs: [] + type: 'Extension/HubsExtension/PartType/MarkdownPart' + settings: { + content: { + settings: { + content: '' + title: 'Confidential computing' + subtitle: '' + markdownSource: 1 + markdownUri: null + } + } + } + partHeader: {} + } + } + { + position: { + x: 0 + y: 34 + colSpan: 5 + rowSpan: 2 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resource compliance score for encryption at rest policies' + isOptional: true + } + { + name: 'query' + value: varComplianceScoreForStoragePolicyGroupQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQuerySingleValueTile' + settings: {} + partHeader: { + title: 'Resource compliance score for encryption at rest policies' + subtitle: 'Percent of resources compliant with encryption at rest policies in the SLZ' + } + } + } + { + position: { + x: 5 + y: 34 + colSpan: 5 + rowSpan: 2 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resource compliance score for encryption in transit policies' + isOptional: true + } + { + name: 'query' + value: varComplianceScoreForTransportPolicyGroupQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQuerySingleValueTile' + settings: {} + partHeader: { + title: 'Resource compliance score for encryption in transit policies' + subtitle: 'Percent of resources compliant with encryption in transit policies in the SLZ' + } + } + } + { + position: { + x: 10 + y: 34 + colSpan: 6 + rowSpan: 2 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resource compliance score for confidential computing policies' + isOptional: true + } + { + name: 'query' + value: varComplianceScoreForConfidentialComputingPolicyGroupQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQuerySingleValueTile' + settings: {} + partHeader: { + title: 'Resource compliance score for confidential computing policies' + subtitle: 'Percent of resources compliant with confidential computing policies in the SLZ' + } + } + } + { + position: { + x: 0 + y: 36 + colSpan: 16 + rowSpan: 5 + } + metadata: { + inputs: [ + { + name: 'chartType' + isOptional: true + } + { + name: 'isShared' + isOptional: true + } + { + name: 'queryId' + isOptional: true + } + { + name: 'partTitle' + value: 'Resources exempt from confidential computing policies' + isOptional: true + } + { + name: 'query' + value: varListOfResourcesExemptOfConfidentialPoliciesQuery + isOptional: true + } + { + name: 'queryScope' + value: { + scope: 0 + values: [] + } + isOptional: true + } + ] + #disable-next-line BCP036 + type: 'Extension/HubsExtension/PartType/ArgQueryGridTile' + settings: {} + partHeader: { + title: 'Resources exempt from confidential computing policies' + subtitle: 'These resources are exempt from confidential computing policies' + } + } + } +] + +var varCustomTiles = loadJsonContent('../../custom/dashboard/compliance/tiles.json') +var varAllTiles = concat(varDefaultTitles, varCustomTiles) + +resource resDashboard 'Microsoft.Portal/dashboards@2020-09-01-preview' = { + name: parDashboardName + location: parLocation + tags: parTags + properties: { + lenses: [ + { + order: 0 + parts: [for part in varAllTiles: { + position: { + x: part.position.x + y: part.position.y + colSpan: part.position.colSpan + rowSpan: part.position.rowSpan + } + metadata: { + inputs: part.metadata.inputs + #disable-next-line BCP036 + type: part.metadata.type + settings: part.metadata.settings + partHeader: empty(part.metadata.partHeader) ? part.metadata.partHeader : {} + } + }] + } + ] + metadata: { + model: { + timeRange: { + value: { + relative: { + duration: 24 + timeUnit: 1 + } + } + type: 'MsPortalFx.Composition.Configuration.ValueTypes.TimeRange' + } + } + } + } +} diff --git a/modules/dashboard/templates/complianceByPolicyGroup.csl b/modules/dashboard/templates/complianceByPolicyGroup.csl new file mode 100644 index 00000000..cfec6a6a --- /dev/null +++ b/modules/dashboard/templates/complianceByPolicyGroup.csl @@ -0,0 +1,16 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = properties.policyDefinitionGroupNames, policySetDefinitionName = tolower(properties.policySetDefinitionName) +| mv-expand parsed_policy_groups = policyGroups +| where parsed_policy_groups hasprefix "dashboard-" +| extend parsed_policy_groups = trim('dashboard-',tostring(parsed_policy_groups)) +| project properties, policyDefinitionId, parsed_policy_groups +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, tostring(parsed_policy_groups) +| summarize counts = count() by tostring(parsed_policy_groups), max_stateWeight +| summarize nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by tostring(parsed_policy_groups) +| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount) +| extend totalCompliantResources = todouble(compliantCount + exemptCount) +| extend compliancePercentage = iff(totalResources == 0 or (totalCompliantResources == 0 and nonCompliantCount == 0), todouble(100), 100 * totalCompliantResources / totalResources) +| project toupper(parsed_policy_groups), compliancePercentageEx = toint(round(compliancePercentage, 1)) +| order by compliancePercentageEx asc diff --git a/modules/dashboard/templates/complianceScoreForConfidentialComputingPolicyGroup.csl b/modules/dashboard/templates/complianceScoreForConfidentialComputingPolicyGroup.csl new file mode 100644 index 00000000..ce700a11 --- /dev/null +++ b/modules/dashboard/templates/complianceScoreForConfidentialComputingPolicyGroup.csl @@ -0,0 +1,13 @@ +PolicyResources +|where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = tolower(properties.policyDefinitionGroupNames), policySetDefinitionName = tolower(properties.policySetDefinitionName) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) in ("dashboard-confidential computing","dashboard-key management") +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tolower(properties.resourceType), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, resourceType +| project resourceId, resourceType, complianceState = iff(max_stateWeight == 300, 'NonCompliant', iff(max_stateWeight == 200, 'Compliant', iff(max_stateWeight == 100 , 'Conflict', iff(max_stateWeight == 50, 'Exempt', 'UnknownResource')))) +| summarize counts = count() by complianceState +| summarize compliantCount = sumif(counts, complianceState == 'Compliant' or complianceState == 'Exempt'), nonCompliantCount = sumif(counts, complianceState == 'Conflict' or complianceState == 'NonCompliant') +| extend totalNum = toint(compliantCount + nonCompliantCount) +| extend compliancePercentageVal = iff(totalNum == 0, todouble(100), 100 * todouble(compliantCount) / totalNum) +| project ['Confidentiality compliance percentage (includes compliant and exempt)'] = strcat(tostring(round(compliancePercentageVal, 1)), '% (', tostring(compliantCount),' out of ', tostring(totalNum), ')') \ No newline at end of file diff --git a/modules/dashboard/templates/complianceScoreForStoragePolicyGroup.csl b/modules/dashboard/templates/complianceScoreForStoragePolicyGroup.csl new file mode 100644 index 00000000..9b95ea0a --- /dev/null +++ b/modules/dashboard/templates/complianceScoreForStoragePolicyGroup.csl @@ -0,0 +1,13 @@ +PolicyResources +|where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = tolower(properties.policyDefinitionGroupNames) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) == "dashboard-storage security" +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tolower(properties.resourceType), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, resourceType +| project resourceId, resourceType, complianceState = iff(max_stateWeight == 300, 'NonCompliant', iff(max_stateWeight == 200, 'Compliant', iff(max_stateWeight == 100 , 'Conflict', iff(max_stateWeight == 50, 'Exempt', 'UnknownResource')))) +| summarize counts = count() by complianceState +| summarize compliantCount = sumif(counts, complianceState == 'Compliant' or complianceState == 'Exempt'), nonCompliantCount = sumif(counts, complianceState == 'Conflict' or complianceState == 'NonCompliant') +| extend totalNum = toint(compliantCount + nonCompliantCount) +| extend compliancePercentageVal = iff(totalNum == 0, todouble(100), 100 * todouble(compliantCount) / totalNum) +| project ['Confidentiality compliance percentage (includes compliant and exempt)'] = strcat(tostring(round(compliancePercentageVal, 1)), '% (', tostring(compliantCount),' out of ', tostring(totalNum), ')') \ No newline at end of file diff --git a/modules/dashboard/templates/complianceScoreForTransportPolicyGroup.csl b/modules/dashboard/templates/complianceScoreForTransportPolicyGroup.csl new file mode 100644 index 00000000..a899e81a --- /dev/null +++ b/modules/dashboard/templates/complianceScoreForTransportPolicyGroup.csl @@ -0,0 +1,13 @@ +PolicyResources +|where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyAssignmentScope = tolower(properties.policyAssignmentScope), policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = tolower(properties.policyDefinitionGroupNames), policySetDefinitionName = tolower(properties.policySetDefinitionName) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) == "dashboard-transport security" +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tolower(properties.resourceType), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, resourceType +| project resourceId, resourceType, complianceState = iff(max_stateWeight == 300, 'NonCompliant', iff(max_stateWeight == 200, 'Compliant', iff(max_stateWeight == 100 , 'Conflict', iff(max_stateWeight == 50, 'Exempt', 'UnknownResource')))) +| summarize counts = count() by complianceState +| summarize compliantCount = sumif(counts, complianceState == 'Compliant' or complianceState == 'Exempt'), nonCompliantCount = sumif(counts, complianceState == 'Conflict' or complianceState == 'NonCompliant') +| extend totalNum = toint(compliantCount + nonCompliantCount) +| extend compliancePercentageVal = iff(totalNum == 0, todouble(100), 100 * todouble(compliantCount) / totalNum) +| project ['Confidentiality compliance percentage (includes compliant and exempt)'] = strcat(tostring(round(compliancePercentageVal, 1)), '% (', tostring(compliantCount),' out of ', tostring(totalNum), ')') \ No newline at end of file diff --git a/modules/dashboard/templates/compliancebyPolicyInitiative.csl b/modules/dashboard/templates/compliancebyPolicyInitiative.csl new file mode 100644 index 00000000..117f76dc --- /dev/null +++ b/modules/dashboard/templates/compliancebyPolicyInitiative.csl @@ -0,0 +1,11 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policySetInitiative = tostring(properties.policySetDefinitionName), resourceId = tolower(properties.resourceId), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, policySetInitiative +| summarize counts = count() by policySetInitiative, max_stateWeight +| summarize nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by policySetInitiative +| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount) +| extend totalCompliantResources = todouble(compliantCount + exemptCount) +| extend compliancePercentage = iff(totalResources == 0 or (totalCompliantResources == 0 and nonCompliantCount == 0), todouble(100), 100 * totalCompliantResources / totalResources) +| project policySetInitiative, compliancePercentageEx = toint(round(compliancePercentage, 1)) +| order by compliancePercentageEx asc \ No newline at end of file diff --git a/modules/dashboard/templates/compliancebySubscription.csl b/modules/dashboard/templates/compliancebySubscription.csl new file mode 100644 index 00000000..fd4ca223 --- /dev/null +++ b/modules/dashboard/templates/compliancebySubscription.csl @@ -0,0 +1,18 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' +| extend policyAssignmentScope = tolower(properties.policyAssignmentScope) +| where policyAssignmentScope startswith '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId),subscriptionId = tostring(properties.subscriptionId), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, subscriptionId +| join kind=inner ( + resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name + ) on subscriptionId +| summarize counts = count() by subscriptionId, subscriptionName, max_stateWeight +| summarize nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by subscriptionId, subscriptionName +| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount) +| extend totalCompliantResources = todouble(compliantCount + exemptCount) +| extend compliancePercentage = iff(totalResources == 0 or (totalCompliantResources == 0 and nonCompliantCount == 0), todouble(100), 100 * totalCompliantResources / totalResources) +| project subscriptionName, compliancePercentageEx = toint(round(compliancePercentage, 1)) +| order by compliancePercentageEx asc \ No newline at end of file diff --git a/modules/dashboard/templates/confidentialityScore.csl b/modules/dashboard/templates/confidentialityScore.csl new file mode 100644 index 00000000..7c620bb6 --- /dev/null +++ b/modules/dashboard/templates/confidentialityScore.csl @@ -0,0 +1,14 @@ +PolicyResources +|where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = tolower(properties.policyDefinitionGroupNames) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) in ("dashboard-storage security", "dashboard-transport security", "dashboard-confidential computing","dashboard-key management") +| project properties, policyDefinitionId, tostring(parsed_policy_groups) +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tolower(properties.resourceType), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, resourceType +| project resourceId, resourceType, complianceState = iff(max_stateWeight == 300, 'NonCompliant', iff(max_stateWeight == 200, 'Compliant', iff(max_stateWeight == 100 , 'Conflict', iff(max_stateWeight == 50, 'Exempt', 'UnknownResource')))) +| summarize counts = count() by complianceState +| summarize compliantCount = sumif(counts, complianceState == 'Compliant' or complianceState == 'Exempt'), nonCompliantCount = sumif(counts, complianceState == 'Conflict' or complianceState == 'NonCompliant') +| extend totalNum = toint(compliantCount + nonCompliantCount) +| extend compliancePercentageVal = iff(totalNum == 0, todouble(100), 100 * todouble(compliantCount) / totalNum) +| project ['Confidentiality compliance percentage (includes compliant and exempt)'] = strcat(tostring(round(compliancePercentageVal, 1)), '% (', tostring(compliantCount),' out of ', tostring(totalNum), ')') \ No newline at end of file diff --git a/modules/dashboard/templates/dataResidencyScore.csl b/modules/dashboard/templates/dataResidencyScore.csl new file mode 100644 index 00000000..e8b9b23e --- /dev/null +++ b/modules/dashboard/templates/dataResidencyScore.csl @@ -0,0 +1,13 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyDefinitionId = tostring(properties.policyDefinitionId), policyGroups = tolower(properties.policyDefinitionGroupNames) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) == "dashboard-data residency" +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tolower(properties.resourceType), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId, resourceType +| project resourceId, resourceType, complianceState = iff(max_stateWeight == 300, 'NonCompliant', iff(max_stateWeight == 200, 'Compliant', iff(max_stateWeight == 100 , 'Conflict', iff(max_stateWeight == 50, 'Exempt', 'UnknownResource')))) +| summarize counts = count() by complianceState +| summarize compliantCount = sumif(counts, complianceState == 'Compliant' or complianceState == 'Exempt'), nonCompliantCount = sumif(counts, complianceState == 'Conflict' or complianceState == 'NonCompliant') +| extend totalNum = toint(compliantCount + nonCompliantCount) +| extend compliancePercentageVal = iff(totalNum == 0, todouble(100), 100 * todouble(compliantCount) / totalNum) +| project ['Data residency compliance percentage (includes compliant and exempt)'] = strcat(tostring(round(compliancePercentageVal, 1)), '% (', tostring(compliantCount),' out of ', tostring(totalNum), ')') \ No newline at end of file diff --git a/modules/dashboard/templates/listOfResourcesExemptOfConfidentialPolicies.csl b/modules/dashboard/templates/listOfResourcesExemptOfConfidentialPolicies.csl new file mode 100644 index 00000000..9bf82fbc --- /dev/null +++ b/modules/dashboard/templates/listOfResourcesExemptOfConfidentialPolicies.csl @@ -0,0 +1,15 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tostring(properties.complianceState) == "Exempt" and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyDefinitionId = tolower(properties.policyDefinitionId),complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tostring(properties.resourceType), policySetDefinitionName = tostring(properties.policySetDefinitionName),subscriptionId = tostring(properties.subscriptionId), policyGroups = tolower(properties.policyDefinitionGroupNames) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) in ("dashboard-storage security", "dashboard-transport security", "dashboard-confidential computing","dashboard-key management") +| join kind=leftouter ( + resources + | project resourceId=tolower(id), resourceName=name, resourceGroup + ) on resourceId +| join kind=inner ( + resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name + ) on subscriptionId +| project ['Compliance State']=complianceState, ['Policy initiative']=policySetDefinitionName, ['Policy definition id']=policyDefinitionId, ['Resource type']=resourceType, ['Resource name']=resourceName, ['Subscription id']=subscriptionId, ['Policy group']=tostring(parsed_policy_groups) \ No newline at end of file diff --git a/modules/dashboard/templates/listofNonCompliantResources.csl b/modules/dashboard/templates/listofNonCompliantResources.csl new file mode 100644 index 00000000..54563121 --- /dev/null +++ b/modules/dashboard/templates/listofNonCompliantResources.csl @@ -0,0 +1,23 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| where properties.complianceState in ("NonCompliant", "Exempt") +| extend complianceState = tostring(properties.complianceState),resourceId = tolower(properties.resourceId), resourceType = tostring(properties.resourceType), policySetDefinitionName = tostring(properties.policySetDefinitionName), subscriptionId = tostring(properties.subscriptionId), policyDefinitionName = tostring(properties.policyDefinitionName) +| distinct resourceId, policySetDefinitionName, complianceState, resourceType, subscriptionId, policyDefinitionName +| join kind=leftouter ( + resources + | project resourceId=tolower(id), resourceName=name, resourceGroup + ) on resourceId +| join kind=inner ( + resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name + ) on subscriptionId +|join kind=inner ( + PolicyResources + | where type == "microsoft.authorization/policydefinitions" + | extend policyName = tostring(properties.displayName) + | project policyName, policyDefinitionName = name + ) on policyDefinitionName +| extend ['Resource name']= iff(resourceName=="", subscriptionName, resourceName) +| project ['Compliance state']=complianceState, ['Policy initiative']=policySetDefinitionName,['Policy definition']=policyName, ['Resource type']=resourceType, ['Resource name'] , ['Resource group']=resourceGroup, ['Subscription']=subscriptionName +| order by ['Compliance state'] desc, ['Resource type'], ['Resource name'] asc diff --git a/modules/dashboard/templates/listofResourcesExemptofDataResidentPolicy.csl b/modules/dashboard/templates/listofResourcesExemptofDataResidentPolicy.csl new file mode 100644 index 00000000..4b91a1fd --- /dev/null +++ b/modules/dashboard/templates/listofResourcesExemptofDataResidentPolicy.csl @@ -0,0 +1,15 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tostring(properties.complianceState) == "Exempt" and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend policyAssignmentScope = tolower(properties.policyAssignmentScope), complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tostring(properties.resourceType), subscriptionId = tostring(properties.subscriptionId), policyDefinitionId = tostring(properties.policyDefinitionId), resourceLocation = tolower(properties.resourceLocation), policySetDefinitionName = tostring(properties.policySetDefinitionName), policyGroups = tolower(properties.policyDefinitionGroupNames) +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) == "dashboard-data residency" +| join kind=leftouter ( + resources + | project resourceId=tolower(id), resourceName=name, resourceGroup + ) on resourceId +| join kind=inner ( + resourcecontainers + | where type == 'microsoft.resources/subscriptions' + | project subscriptionId, subscriptionName = name + ) on subscriptionId +| project ['Compliance state']=complianceState, ['Policy initiative']=policySetDefinitionName, ['Resource type']=resourceType, ['Resource name']=resourceName, ['Resource location']=resourceLocation \ No newline at end of file diff --git a/modules/dashboard/templates/listofResourcesOutsideofSafeRegion.csl b/modules/dashboard/templates/listofResourcesOutsideofSafeRegion.csl new file mode 100644 index 00000000..ac0fa2b7 --- /dev/null +++ b/modules/dashboard/templates/listofResourcesOutsideofSafeRegion.csl @@ -0,0 +1,12 @@ +policyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tostring(properties.resourceType), resourceLocation = tolower(properties.resourceLocation), policySetDefinitionName = tostring(properties.policySetDefinitionName), policyGroups = tolower(properties.policyDefinitionGroupNames) +| where (complianceState == 'NonCompliant' or complianceState == 'Exempt') +| mv-expand parsed_policy_groups = parse_json(policyGroups) +| where tostring(parsed_policy_groups) == "dashboard-data residency" +| join kind=leftouter ( + resources + | project resourceId=tolower(id), resourceName=name, resourceGroup + ) on resourceId +| project ['Compliance state']=complianceState, ['Policy initiative']=policySetDefinitionName, ['Resource type']=resourceType, ['Resource name']=resourceName, ['Resource location']=resourceLocation, ['Resource group']=resourceGroup +| order by ['Compliance state'] desc, ['Resource type'], ['Resource name'] asc \ No newline at end of file diff --git a/modules/dashboard/templates/markdownPart.md b/modules/dashboard/templates/markdownPart.md new file mode 100644 index 00000000..f2de281f --- /dev/null +++ b/modules/dashboard/templates/markdownPart.md @@ -0,0 +1,18 @@ +

diff --git a/modules/dashboard/templates/resourceComplianceScore.csl b/modules/dashboard/templates/resourceComplianceScore.csl new file mode 100644 index 00000000..14f6530e --- /dev/null +++ b/modules/dashboard/templates/resourceComplianceScore.csl @@ -0,0 +1,17 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), resourceType = tolower(properties.resourceType), stateWeight = tolong(properties.stateWeight) +| summarize maxStateWeight = max(stateWeight) by resourceId, resourceType +| project resourceId, resourceType, + complianceState = case( + maxStateWeight == 300, "NonCompliant", + maxStateWeight == 200, "Compliant", + maxStateWeight == 100, "Conflict", + maxStateWeight == 50, "Exempt", + "UnknownResource" + ) +| summarize counts = count() by complianceState +| summarize compliantCount = sumif(counts, complianceState == 'Compliant' or complianceState == 'Exempt'), nonCompliantCount = sumif(counts, complianceState == 'Conflict' or complianceState == 'NonCompliant') +| extend totalNum = toint(compliantCount + nonCompliantCount) +| extend compliancePercentageVal = iff(totalNum == 0, todouble(100), 100 * todouble(compliantCount) / totalNum) +| project ['Compliance percentage (includes compliant and exempt)'] = strcat(tostring(round(compliancePercentageVal, 1)), '% (', tostring(compliantCount),' out of ', tostring(totalNum), ')') \ No newline at end of file diff --git a/modules/dashboard/templates/resourcesOutsideofSafeRegion.csl b/modules/dashboard/templates/resourcesOutsideofSafeRegion.csl new file mode 100644 index 00000000..9297fef9 --- /dev/null +++ b/modules/dashboard/templates/resourcesOutsideofSafeRegion.csl @@ -0,0 +1,13 @@ +policyResources +| where type == 'microsoft.policyinsights/policystates' +| extend resourceId = tolower(properties.resourceId), policyAssignmentScope = tolower(properties.policyAssignmentScope), complianceState = tostring(properties.complianceState) +| where policyAssignmentScope startswith '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' and complianceState == 'NonCompliant' +| mv-expand parsed_policy_groups = parse_json(tolower(properties.policyDefinitionGroupNames)) +| where tostring(parsed_policy_groups) == "dashboard-data residency" +| join kind=inner ( + resources + | where isnotnull(location) + | project resourceId=tolower(id), resourceName=name, resourceGroup, resourcelocation = location + ) on resourceId +| project resourcelocation, complianceState +| summarize counts = count() by resourcelocation \ No newline at end of file diff --git a/modules/dashboard/templates/resourcesbyComplianceState.csl b/modules/dashboard/templates/resourcesbyComplianceState.csl new file mode 100644 index 00000000..805190c9 --- /dev/null +++ b/modules/dashboard/templates/resourcesbyComplianceState.csl @@ -0,0 +1,6 @@ +PolicyResources +| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/RootPrefix_PLACEHOLDER' +| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), stateWeight = tolong(properties.stateWeight) +| summarize max(stateWeight) by resourceId +| project resourceId, complianceState = iff(max_stateWeight == 300, 'NonCompliant', iff(max_stateWeight == 200, 'Compliant', iff(max_stateWeight == 100 , 'Conflict', iff(max_stateWeight == 50, 'Exempt', 'Unknown')))) +| summarize counts = count() by complianceState \ No newline at end of file diff --git a/modules/resourceGroups/connectivityResourceGroups.bicep b/modules/resourceGroups/connectivityResourceGroups.bicep new file mode 100644 index 00000000..0a757624 --- /dev/null +++ b/modules/resourceGroups/connectivityResourceGroups.bicep @@ -0,0 +1,47 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Deploys the resource groups for the hub network and network watcher. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'subscription' + +@description('Location to deploy resources.') +param parDeploymentLocation string + +@description('Prefix to use for resource naming.') +param parDeploymentPrefix string + +@description('Suffix to use for resource naming.') +@maxLength(5) +param parDeploymentSuffix string + +@description('Tags to apply to all created resources.') +param parTags object + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +// Deploy resource groups for the hub network +module modNetworkingHubResourceGroup '../../dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep' = { + name: take('deploy-Hub-Network-Resource-Group-${parTimestamp}', 64) + params: { + parLocation: parDeploymentLocation + parResourceGroupName: '${parDeploymentPrefix}-rg-hub-network-${parDeploymentLocation}${parDeploymentSuffix}' + parTags: parTags + parTelemetryOptOut: true + } +} + +// Deploy resource group for network watcher. +module modNetworkWatcherResourceGroup '../../dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep' = { + name: take('deploy-NetworkWatcher-Resource-Group-${parTimestamp}', 64) + params: { + parLocation: parDeploymentLocation + parResourceGroupName: 'NetworkWatcherRG' + parTags: parTags + parTelemetryOptOut: true + } +} + +output outConnectivityDeploymentLocation string = parDeploymentLocation diff --git a/modules/resourceGroups/dashboardResourceGroups.bicep b/modules/resourceGroups/dashboardResourceGroups.bicep new file mode 100644 index 00000000..73f48f28 --- /dev/null +++ b/modules/resourceGroups/dashboardResourceGroups.bicep @@ -0,0 +1,34 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Deploys a resource group for the dashboard resources. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'subscription' + +@description('Location to deploy resources.') +param parDeploymentLocation string + +@description('Prefix to use for resource naming.') +param parDeploymentPrefix string + +@description('Tags to apply to all created resources.') +param parTags object + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +@description('Suffix to use for resource naming.') +@maxLength(5) +param parDeploymentSuffix string + +// Deploy resource group for dashboard resources +module modDashboardResourceGroup '../../dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep' = { + name: take('deploy-Dashboard-Resource-Group-${parTimestamp}', 64) + params: { + parLocation: parDeploymentLocation + parResourceGroupName: '${parDeploymentPrefix}-rg-dashboards-${parDeploymentLocation}${parDeploymentSuffix}' + parTags: parTags + parTelemetryOptOut: true + } +} diff --git a/modules/resourceGroups/identityResourceGroups.bicep b/modules/resourceGroups/identityResourceGroups.bicep new file mode 100644 index 00000000..9c0cc851 --- /dev/null +++ b/modules/resourceGroups/identityResourceGroups.bicep @@ -0,0 +1,36 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Creates a resource group for identity resources. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'subscription' + +@description('Location to deploy resources.') +param parDeploymentLocation string + +@description('Prefix to use for resource naming.') +param parDeploymentPrefix string + +@description('Suffix to use for resource naming.') +@maxLength(5) +param parDeploymentSuffix string + +@description('Tags to apply to all created resources.') +param parTags object + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +// Creates resource group +module modManagedIdentitiesResourceGroup '../../dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep' = { + name: take('deploy-Managed-Identity-Resource-Group-${parTimestamp}', 64) + params: { + parLocation: parDeploymentLocation + parResourceGroupName: '${parDeploymentPrefix}-rg-managed-identities-${parDeploymentLocation}${parDeploymentSuffix}' + parTags: parTags + parTelemetryOptOut: true + } +} + +output outIdentityDeploymentLocation string = parDeploymentLocation diff --git a/modules/resourceGroups/managementResourceGroups.bicep b/modules/resourceGroups/managementResourceGroups.bicep new file mode 100644 index 00000000..8ba78fed --- /dev/null +++ b/modules/resourceGroups/managementResourceGroups.bicep @@ -0,0 +1,36 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Deploys a resource group for logging resources. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'subscription' + +@description('Location to deploy resources.') +param parDeploymentLocation string + +@description('Prefix to use for resource naming.') +param parDeploymentPrefix string + +@description('Suffix to use for resource naming.') +@maxLength(5) +param parDeploymentSuffix string + +@description('Tags to apply to all created resources.') +param parTags object + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +// Deploys resource group +module modAlzLoggingResourceGroup '../../dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep' = { + name: take('deploy-Logging-Resource-Group-${parTimestamp}', 64) + params: { + parLocation: parDeploymentLocation + parResourceGroupName: '${parDeploymentPrefix}-rg-logging-${parDeploymentLocation}${parDeploymentSuffix}' + parTags: parTags + parTelemetryOptOut: true + } +} + +output outManagementDeploymentLocation string = parDeploymentLocation diff --git a/modules/util/Get-FailedDeploymentDetails.ps1 b/modules/util/Get-FailedDeploymentDetails.ps1 new file mode 100644 index 00000000..82f537da --- /dev/null +++ b/modules/util/Get-FailedDeploymentDetails.ps1 @@ -0,0 +1,69 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The PowerShell scripts aids is generating the logs for the failed deployments. + This script only retrieves errors when an Azure deployment is created. + Not all errors will be captured by this script. Specifically those that occur before the deployment is created. + +.DESCRIPTION +Execute this script to share the deployment error logs with Microsoft for troubleshooting + +#> + +param ( + $parDeploymentPrefix = $(Read-Host -prompt "Please enter the deployment prefix used for the SLZ deployment."), + $parDeploymentSuffix = $(Read-Host -prompt "Please enter the deployment suffix used for the SLZ deployment. Press Enter if no suffix was used for deployment.") +) + +<# +.DESCRIPTION + This function retrieves information about failed Tenant deployments. + It filters deployments based on provisioning state, deployment name, and generates logs of failed deployment operations. +#> +function Get-FailedTenantDeploymentDetails { + param () + + $varFailedTenantDeployments = Get-AzTenantDeployment | Where-Object { $_.ProvisioningState -eq "Failed" -and $_.DeploymentName -like "$parDeploymentPrefix*" } + + if ($null -ne $varFailedTenantDeployments) { + if (Test-Path tenantLogs.txt) { + Remove-Item tenantLogs.txt + } + + $varFailedTenantDeployments | ForEach-Object { + Get-AzTenantDeploymentOperation -DeploymentName $_.DeploymentName | Where-Object { $_.ProvisioningState -eq "Failed" } *>> tenantLogs.txt + } + } + + Write-Information ">>> Tenant deployments log generation completed." -InformationAction Continue +} + +<# +.DESCRIPTION + This function retrieves information about failed Management Group deployments. + It filters deployments based on provisioning state and generates logs of failed deployment operations. +#> +function Get-FailedManagementGroupDeploymentDetails { + param () + + $varFailedMGDeployments = Get-AzManagementGroupDeployment -ManagementGroupId "$parDeploymentPrefix$parDeploymentSuffix" | Where-Object { $_.ProvisioningState -eq "Failed" } + + if ($null -ne $varFailedMGDeployments) { + if (Test-Path managementgroupLogs.txt) { + Remove-Item managementgroupLogs.txt + } + + foreach ($varDeployment in $varFailedMGDeployments) { + Get-AzManagementGroupDeploymentOperation -ManagementGroupId "$parDeploymentPrefix$parDeploymentSuffix" -DeploymentName $varDeployment.DeploymentName | Where-Object { $_.ProvisioningState -eq "Failed" } *>> managementgroupLogs.txt + } + } + + Write-Information ">>> Management group deployments log generation completed." -InformationAction Continue +} + +Write-Information ">>> Initiating a login" -InformationAction Continue +Connect-AzAccount + +Get-FailedTenantDeploymentDetails +Get-FailedManagementGroupDeploymentDetails diff --git a/modules/util/delete-lock.bicep b/modules/util/delete-lock.bicep new file mode 100644 index 00000000..9a50e3c1 --- /dev/null +++ b/modules/util/delete-lock.bicep @@ -0,0 +1,15 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +resource resLock 'Microsoft.Authorization/locks@2020-05-01' = { + name: 'DeleteLock' + properties: { + level: 'CanNotDelete' + } +} diff --git a/modules/util/deployment-script.bicep b/modules/util/deployment-script.bicep new file mode 100644 index 00000000..40696bf1 --- /dev/null +++ b/modules/util/deployment-script.bicep @@ -0,0 +1,52 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +@description('Location for the deployment.') +param parLocation string = resourceGroup().location + +@description('Deployment Script Name.') +param parDeploymentScriptName string + +@description('Deployment Script') +param parDeploymentScript string + +@description('Identity for the deployment script to execute in Azure Container Instance.') +param parDeploymentScriptIdentityId string + +@description('Azure CLI Version. Default: 2.32.0') +param parAzCliVersion string = '2.32.0' + +@description('Force Update Tag. Default: utcNow()') +param parForceUpdateTag string = utcNow() + +@description('Script timeout in ISO 8601 format. Default is 1 hour.') +param parTimeout string = 'PT1H' + +@description('Script retention in ISO 8601 format. Default is 1 hour.') +param parRetentionInterval string = 'PT1H' + +resource resDs 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: parDeploymentScriptName + location: parLocation + kind: 'AzureCLI' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${parDeploymentScriptIdentityId}': {} + } + } + properties: { + forceUpdateTag: parForceUpdateTag + azCliVersion: parAzCliVersion + retentionInterval: parRetentionInterval + timeout: parTimeout + cleanupPreference: 'OnExpiration' + scriptContent: parDeploymentScript + } +} diff --git a/modules/util/wait-on-arm-subscription.bicep b/modules/util/wait-on-arm-subscription.bicep new file mode 100644 index 00000000..0a0e2b91 --- /dev/null +++ b/modules/util/wait-on-arm-subscription.bicep @@ -0,0 +1,15 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +targetScope = 'subscription' + +@description('Dummy input to simulate waiting.') +param parInput string + +output output string = parInput diff --git a/modules/util/wait-on-arm.bicep b/modules/util/wait-on-arm.bicep new file mode 100644 index 00000000..e7582d7a --- /dev/null +++ b/modules/util/wait-on-arm.bicep @@ -0,0 +1,13 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +@description('Dummy input to simulate waiting.') +param parInput string + +output output string = parInput diff --git a/modules/util/wait-subscription.bicep b/modules/util/wait-subscription.bicep new file mode 100644 index 00000000..73f1910d --- /dev/null +++ b/modules/util/wait-subscription.bicep @@ -0,0 +1,28 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +targetScope = 'subscription' + +@description('Loop Counter.') +@minValue(1) +param parLoopCounter int + +@description('Prefix used for loop.') +@minLength(2) +@maxLength(50) +param parWaitNamePrefix string + +@batchSize(1) +module modWait 'wait-on-arm-subscription.bicep' = [for i in range(1, parLoopCounter): { + scope: subscription() + name: '${parWaitNamePrefix}-${i}' + params: { + parInput: 'waitOnArm-${i}' + } +}] diff --git a/modules/util/wait.bicep b/modules/util/wait.bicep new file mode 100644 index 00000000..453dd184 --- /dev/null +++ b/modules/util/wait.bicep @@ -0,0 +1,25 @@ +// ---------------------------------------------------------------------------------- +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. +// +// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +// ---------------------------------------------------------------------------------- + +@description('Loop Counter.') +@minValue(1) +param parLoopCounter int + +@description('Prefix used for loop.') +@minLength(2) +@maxLength(50) +param parWaitNamePrefix string + +@batchSize(1) +module modWait 'wait-on-arm.bicep' = [for i in range(1, parLoopCounter): { + name: '${parWaitNamePrefix}-${i}' + params: { + parInput: 'waitOnArm-${i}' + } +}] diff --git a/orchestration/bootstrap/bootstrap.bicep b/orchestration/bootstrap/bootstrap.bicep new file mode 100644 index 00000000..7a08302a --- /dev/null +++ b/orchestration/bootstrap/bootstrap.bicep @@ -0,0 +1,120 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY : Deploys the Management Groups and Subscriptions for the Sovereign Landing Zone + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'tenant' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('The name of the top level management group.') +@minLength(2) +param parTopLevelManagementGroupName string + +@description('The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in.') +param parSubscriptionBillingScope string + +@description('Subscription ID for management group.') +param parManagementSubscriptionId string = '' + +@description('Subscription ID for identity group.') +param parIdentitySubscriptionId string = '' + +@description('Subscription ID for connectivity group.') +param parConnectivitySubscriptionId string = '' + +@description('Tags to be added to deployed resources') +param parTags object = {} + +@description('Array to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. Default: Empty Object') +param parLandingZoneMgChildren array = [] + +@description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.') +param parTopLevelManagementGroupParentId string = '' + +var varLandingZoneMgChildren = reduce(parLandingZoneMgChildren, {}, (prev, cur) => union(prev, { '${cur.id}': cur })) + +var varPlatformMgChildren = { + management: { + displayName: 'Management' + } + connectivity: { + displayName: 'Connectivity' + } + identity: { + displayName: 'Identity' + } +} + +//This module deploys management groups and creates a hierarchy of management groups +module modManagementGroups '../../dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep' = { + name: take('${parDeploymentPrefix}-deploy-management-groups${parDeploymentSuffix}', 64) + params: { + parTelemetryOptOut: true + parTopLevelManagementGroupDisplayName: parTopLevelManagementGroupName + parTopLevelManagementGroupPrefix: parDeploymentPrefix + parTopLevelManagementGroupSuffix: parDeploymentSuffix + parLandingZoneMgAlzDefaultsEnable: true + parLandingZoneMgConfidentialEnable: true + parLandingZoneMgChildren: varLandingZoneMgChildren + parTopLevelManagementGroupParentId: parTopLevelManagementGroupParentId + parPlatformMgAlzDefaultsEnable: false + parPlatformMgChildren: varPlatformMgChildren + } +} + +//This module deploys a management subscription and creates an alias for it. +module modManagementSubscription '../../dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep' = if (empty(parManagementSubscriptionId)) { + name: take('${parDeploymentPrefix}-deploy-management-subscription${parDeploymentSuffix}', 64) + params: { + parSubscriptionBillingScope: parSubscriptionBillingScope + parSubscriptionName: '${parDeploymentPrefix}-management${parDeploymentSuffix}' + parManagementGroupId: modManagementGroups.outputs.outPlatformChildrenManagementGroupIds[0] + parSubscriptionOfferType: 'Production' + parTenantId: tenant().tenantId + parTags: parTags + } +} + +//This module deploys a connectivity subscription and creates an alias for it +module modConnectivitySubscription '../../dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep' = if (empty(parConnectivitySubscriptionId)) { + name: take('${parDeploymentPrefix}-deploy-connectivity-subscription${parDeploymentSuffix}', 64) + params: { + parSubscriptionBillingScope: parSubscriptionBillingScope + parSubscriptionName: '${parDeploymentPrefix}-connectivity${parDeploymentSuffix}' + parManagementGroupId: modManagementGroups.outputs.outPlatformChildrenManagementGroupIds[1] + parSubscriptionOfferType: 'Production' + parTenantId: tenant().tenantId + parTags: parTags + } +} + +//This module deploys an identity subscription and creates an alias for it. +module modIdentitySubscription '../../dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep' = if (empty(parIdentitySubscriptionId)) { + name: take('${parDeploymentPrefix}-deploy-identity-subscription${parDeploymentSuffix}', 64) + params: { + parSubscriptionBillingScope: parSubscriptionBillingScope + parSubscriptionName: '${parDeploymentPrefix}-identity${parDeploymentSuffix}' + parManagementGroupId: modManagementGroups.outputs.outPlatformChildrenManagementGroupIds[2] + parSubscriptionOfferType: 'Production' + parTenantId: tenant().tenantId + parTags: parTags + } +} + +output outConnectivitySubscriptionId string = empty(parConnectivitySubscriptionId) ? modConnectivitySubscription.outputs.outSubscriptionId : parConnectivitySubscriptionId +output outManagementSubscriptionId string = empty(parManagementSubscriptionId) ? modManagementSubscription.outputs.outSubscriptionId : parManagementSubscriptionId +output outIdentitySubscriptionId string = empty(parIdentitySubscriptionId) ? modIdentitySubscription.outputs.outSubscriptionId : parIdentitySubscriptionId +output outConnectivitySubscriptionName string = empty(parConnectivitySubscriptionId) ? modConnectivitySubscription.outputs.outSubscriptionName : parConnectivitySubscriptionId +output outManagementSubscriptionName string = empty(parManagementSubscriptionId) ? modManagementSubscription.outputs.outSubscriptionName : parManagementSubscriptionId +output outIdentitySubscriptionName string = empty(parIdentitySubscriptionId) ? modIdentitySubscription.outputs.outSubscriptionName : parIdentitySubscriptionId +output outLandingZoneChildrenManagementGroupIds array = modManagementGroups.outputs.outLandingZoneChildrenManagementGroupIds +output outPlatformChildrenManagementGroupIds array = modManagementGroups.outputs.outPlatformChildrenManagementGroupIds diff --git a/orchestration/const/doNotRetryErrorCodes.json b/orchestration/const/doNotRetryErrorCodes.json new file mode 100644 index 00000000..b1546b8a --- /dev/null +++ b/orchestration/const/doNotRetryErrorCodes.json @@ -0,0 +1,29 @@ +{ + "description": "This file contains all the error codes for while the retry logic would not be triggered", + "errorCodes": [ + { + "code": "RequestDisallowedByPolicy", + "errorDescription": "A resource deployment was disallowed by policy" + }, + { + "code": "MissingSubscriptionRegistration", + "errorDescription": "The subscription must be registered to use the namespace." + }, + { + "code": "InvalidPolicySetParameterUpdate", + "errorDescription": "The policy contains new parameter(s) which are not present in the existing policy and have no default value. New parameters may be added to a policy only if they have a default value." + }, + { + "code": "UndefinedPolicyParameter", + "errorDescription": "The policy assignment has the parameter(s) which are not defined in the policy definition" + }, + { + "code": "ReferencedResourceNotProvisioned", + "errorDescription": "Cannot proceed with operation because the resource is not in Succeeded state." + }, + { + "code": "UserNotAuthorized", + "errorDescription": "User is not authorized to create a particular resource/subscription" + } + ] +} \ No newline at end of file diff --git a/orchestration/customCompliance/customCompliance.bicep b/orchestration/customCompliance/customCompliance.bicep new file mode 100644 index 00000000..b95b0ae7 --- /dev/null +++ b/orchestration/customCompliance/customCompliance.bicep @@ -0,0 +1,63 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This is the main entry point for the deployment of the custom compliance initiative. This deployment will create the following resources: + - Custom role definitions + - Custom policy initiatives + - Custom policy assignments + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Set this to true if any policies in the initiative include a modify effect.') +param parRequireOwnerRolePermission bool = false + +@description('Customer specified policy assignments to the root management group of SLZ. No parameters are supported as part of the assignment. DEFAULT: []') +param parCustomerPolicySets array = [] + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRBACRoleDefinitionIDs = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' +} + +var varManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}' + +//This module will deploy the custom compliance initiative +module modRegulatoryCompliance '../../modules/compliance/customCompliance.bicep' = { + name: take('${parDeploymentPrefix}-deploy-regulatory-compliance${parDeploymentSuffix}', 64) + scope: managementGroup(varManagementGroupId) + params: { + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + parIdentityRoleAssignmentsSubs: [] + parRoleDefinitionIds: [ + (parRequireOwnerRolePermission ? varRBACRoleDefinitionIDs.owner : varRBACRoleDefinitionIDs.reader) + ] + } +} + +// The following module is used to deploy the customer specified policies +module modUserPolicyAssignment '../../modules/compliance/customerPolicySetAssignments.bicep' = [for policy in parCustomerPolicySets: { + name: take('${parDeploymentPrefix}-deploy-custpolicyset-assignments-${policy.policySetAssignmentName}${parDeploymentSuffix}', 64) + params: { + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + parPolicySetDefinitionId: policy.policySetDefinitionId + parPolicySetAssignmentName: policy.policySetAssignmentName + parPolicySetAssignmentDisplayName: policy.policySetAssignmentDisplayName + parPolicySetAssignmentDescription: policy.policySetAssignmentDescription + } + dependsOn: [ + modRegulatoryCompliance + ] +}] diff --git a/orchestration/dashboard/dashboard.bicep b/orchestration/dashboard/dashboard.bicep new file mode 100644 index 00000000..d04e1050 --- /dev/null +++ b/orchestration/dashboard/dashboard.bicep @@ -0,0 +1,144 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This is the main deployment file for the SLZ dashboard. It will deploy the dashboard resource group and the dashboard itself. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment. DEFAULT: mcfs') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Deployment location') +@allowed([ + 'asia' + 'asiapacific' + 'australia' + 'australiacentral' + 'australiacentral2' + 'australiaeast' + 'australiasoutheast' + 'brazil' + 'brazilsouth' + 'brazilsoutheast' + 'canada' + 'canadacentral' + 'canadaeast' + 'centralindia' + 'centralus' + 'centraluseuap' + 'centralusstage' + 'eastasia' + 'eastasiastage' + 'eastus' + 'eastus2' + 'eastus2euap' + 'eastus2stage' + 'eastusstage' + 'eastusstg' + 'europe' + 'france' + 'francecentral' + 'francesouth' + 'germany' + 'germanynorth' + 'germanywestcentral' + 'global' + 'india' + 'japan' + 'japaneast' + 'japanwest' + 'jioindiacentral' + 'jioindiawest' + 'korea' + 'koreacentral' + 'koreasouth' + 'northcentralus' + 'northcentralusstage' + 'northeurope' + 'norway' + 'norwayeast' + 'norwaywest' + 'qatarcentral' + 'singapore' + 'southafrica' + 'southafricanorth' + 'southafricawest' + 'southcentralus' + 'southcentralusstage' + 'southcentralusstg' + 'southeastasia' + 'southeastasiastage' + 'southindia' + 'swedencentral' + 'switzerland' + 'switzerlandnorth' + 'switzerlandwest' + 'uae' + 'uaecentral' + 'uaenorth' + 'uk' + 'uksouth' + 'ukwest' + 'unitedstates' + 'unitedstateseuap' + 'westcentralus' + 'westeurope' + 'westindia' + 'westus' + 'westus2' + 'westus2stage' + 'westus3' + 'westusstage' +]) +param parDeploymentLocation string + +@description('The name of the country or agency SLZ is being deployed for. DEFAULT: Country') +param parCustomer string = 'Country' + +@description('Tags to be added to deployed resources') +param parTags object = {} + +@description('Subscription ID for management group.') +param parManagementSubscriptionId string + +var varDashboardResourceGroupName = '${parDeploymentPrefix}-rg-dashboards-${parDeploymentLocation}${parDeploymentSuffix}' + +// Deploy dashboard resource group +module modDashboardResourceGroup '../../modules/resourceGroups/dashboardResourceGroups.bicep' = { + name: take('deploy-Dashboard-Resource-Group-${varDashboardResourceGroupName}', 64) + scope: subscription(parManagementSubscriptionId) + params: { + parDeploymentLocation: parDeploymentLocation + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + parTags: parTags + } +} + +var varDashboardDisplayName = '${parDeploymentPrefix}-Sovereign-Landing-Zone-Dashboard-Preview-${parDeploymentLocation}${parDeploymentSuffix}' + +// Deploy dashboard +module modDashboard '../../modules/dashboard/dashboard.bicep' = { + name: take('deploy-${parDeploymentPrefix}-dashboard${parDeploymentSuffix}', 64) + scope: resourceGroup(parManagementSubscriptionId, varDashboardResourceGroupName) + params: { + parCountryOrAgencyName: parCustomer + parLocation: parDeploymentLocation + parDashboardName: varDashboardDisplayName + parTags: parTags + parDeploymentPrefix: parDeploymentPrefix + } + dependsOn: [ + modDashboardResourceGroup + ] +} + +output outDashboardResourceGroupName string = varDashboardResourceGroupName +output outDashboardDisplayName string = varDashboardDisplayName diff --git a/orchestration/defaultCompliance/defaultCompliance.bicep b/orchestration/defaultCompliance/defaultCompliance.bicep new file mode 100644 index 00000000..193f8893 --- /dev/null +++ b/orchestration/defaultCompliance/defaultCompliance.bicep @@ -0,0 +1,123 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This file deploys following: + - the ALZ default policies if the parDeployAlzDefaultPolicies parameter is set to true + - the customer specified policies to the management group. The customer specified policies are specified in the parCustomerPolicies parameter. + - the policy exemptions to the management group. The policy exemptions are specified in the parPolicyExemptions parameter. + - the policy assignments to the management group. The policy assignments are specified in the parPolicyAssignments parameter. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('The resource ID for the DDoS plan.') +param parDdosPlanResourceId string = '' + +@description('The allowed Azure regions where resources are allowed to be deployed. Allowed values : asia, asiapacific, australia, australiacentral, australiacentral2, australiaeast, australiasoutheast, brazil, brazilsouth, brazilsoutheast, canada, canadacentral, canadaeast, centralindia, centralus, centraluseuap, centralusstage, eastasia, eastasiastage, eastus, eastus2, eastus2euap, eastus2stage, eastusstage, eastusstg, europe, france, francecentral, francesouth, germany, germanynorth, germanywestcentral, global, india, japan, japaneast, japanwest, jioindiacentral, jioindiawest, korea, koreacentral, koreasouth, northcentralus, northcentralusstage, northeurope, norway, norwayeast, norwaywest, qatarcentral, singapore, southafrica, southafricanorth, southafricawest, southcentralus, southcentralusstage, southcentralusstg, southeastasia, southeastasiastage, southindia, swedencentral, switzerland, switzerlandnorth, switzerlandwest, uae, uaecentral, uaenorth, uk, uksouth, ukwest, unitedstates, unitedstateseuap, westcentralus, westeurope, westindia, westus, westus2, westus2stage, westus3, westusstage') +param parAllowedLocations array + +@description('The allowed Azure regions where confidential computing resources are allowed to be deployed. Allowed values : asia, asiapacific, australia, australiacentral, australiacentral2, australiaeast, australiasoutheast, brazil, brazilsouth, brazilsoutheast, canada, canadacentral, canadaeast, centralindia, centralus, centraluseuap, centralusstage, eastasia, eastasiastage, eastus, eastus2, eastus2euap, eastus2stage, eastusstage, eastusstg, europe, france, francecentral, francesouth, germany, germanynorth, germanywestcentral, global, india, japan, japaneast, japanwest, jioindiacentral, jioindiawest, korea, koreacentral, koreasouth, northcentralus, northcentralusstage, northeurope, norway, norwayeast, norwaywest, qatarcentral, singapore, southafrica, southafricanorth, southafricawest, southcentralus, southcentralusstage, southcentralusstg, southeastasia, southeastasiastage, southindia, swedencentral, switzerland, switzerlandnorth, switzerlandwest, uae, uaecentral, uaenorth, uk, uksouth, ukwest, unitedstates, unitedstateseuap, westcentralus, westeurope, westindia, westus, westus2, westus2stage, westus3, westusstage') +param parAllowedLocationsForConfidentialComputing array + +@description('The ID for the Log Analytics workspace that was created to centralize log ingest.') +param parLogAnalyticsWorkspaceId string = '' + +@description('Set to true to deploy ALZ default policies, otherwise false. DEFAULT: false') +param parDeployAlzDefaultPolicies bool = false + +@description('The region where the Log Analytics Workspace & Automation Account are deployed.') +param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = '' + +@description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays string + +@description('Automation account name.') +param parAutomationAccountName string = '' + +@description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +param parMsDefenderForCloudEmailSecurityContact string = '' + +@description('Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group.') +param parPrivateDnsResourceGroupId string = '' + +@description('Effect type for all policy definitions') +param parPolicyEffect string = 'Deny' + +var varPolicyAssignmentScopeName = '${parDeploymentPrefix}${parDeploymentSuffix}' +var varPolicyExemptionConfidentialOnlineManagementGroup = '${parDeploymentPrefix}-landingzones-confidential-online${parDeploymentSuffix}' +var varPolicyExemptionConfidentialCorpManagementGroup = '${parDeploymentPrefix}-landingzones-confidential-corp${parDeploymentSuffix}' + +// The following module is used to deploy the SLZ Global Policies and the SLZ Global Assignment +module modRegulatoryCompliance '../../modules/compliance/defaultCompliance.bicep' = { + name: take('${parDeploymentPrefix}-deploy-regulatory-compliance${parDeploymentSuffix}', 64) + params: { + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + parAllowedLocations: parAllowedLocations + parAllowedLocationsForConfidentialComputing: parAllowedLocationsForConfidentialComputing + parPolicyEffect: parPolicyEffect + } +} + +// The following module is used to deploy the ALZ default policies +module modAlzPolicyAssignments '../../dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep' = if (parDeployAlzDefaultPolicies) { + name: take('${parDeploymentPrefix}-deploy-alz-default-policies${parDeploymentSuffix}', 64) + params: { + parTopLevelManagementGroupPrefix: parDeploymentPrefix + parTopLevelManagementGroupSuffix: parDeploymentSuffix + parLogAnalyticsWorkSpaceAndAutomationAccountLocation: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceId + parLogAnalyticsWorkspaceLogRetentionInDays: parLogAnalyticsWorkspaceLogRetentionInDays + parAutomationAccountName: parAutomationAccountName + parMsDefenderForCloudEmailSecurityContact: parMsDefenderForCloudEmailSecurityContact + parDdosProtectionPlanId: parDdosPlanResourceId + parPrivateDnsResourceGroupId: parPrivateDnsResourceGroupId + parDisableAlzDefaultPolicies: !parDeployAlzDefaultPolicies + } + dependsOn: [ + modRegulatoryCompliance + ] +} + +// The following module is used to deploy the policy exemptions +module modPolicyExemptionsConfidentialOnline '../../modules/compliance/policyExemptions.bicep' = { + dependsOn: [ + modRegulatoryCompliance + ] + scope: managementGroup(varPolicyExemptionConfidentialOnlineManagementGroup) + name: take('${parDeploymentPrefix}-deploy-policy-exemptions${parDeploymentSuffix}', 64) + params: { + parPolicyAssignmentScopeName: varPolicyAssignmentScopeName + parPolicyDefinitionReferenceIds: [ 'AllowedLocationsForResourceGroups', 'AllowedLocations' ] + parPolicyAssignmentName: modRegulatoryCompliance.outputs.outSlzGlobalAssignmentName + parExemptionName: 'Confidential-Online-Location-Exemption.${modRegulatoryCompliance.outputs.outSlzGlobalVersion}' + parExemptionDisplayName: 'Confidential Online Location Exemption ${modRegulatoryCompliance.outputs.outSlzGlobalVersion}' + parDescription: 'Exempt the confidential online management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.' + } +} + +// The following module is used to deploy the policy exemptions +module modPolicyExemptionsConfidentialCorp '../../modules/compliance/policyExemptions.bicep' = { + dependsOn: [ + modRegulatoryCompliance + ] + scope: managementGroup(varPolicyExemptionConfidentialCorpManagementGroup) + name: take('${parDeploymentPrefix}-deploy-policy-exemptions${parDeploymentSuffix}', 64) + params: { + parPolicyAssignmentScopeName: varPolicyAssignmentScopeName + parPolicyDefinitionReferenceIds: [ 'AllowedLocationsForResourceGroups', 'AllowedLocations' ] + parPolicyAssignmentName: modRegulatoryCompliance.outputs.outSlzGlobalAssignmentName + parExemptionName: 'Confidential-Corp-Location-Exemption.${modRegulatoryCompliance.outputs.outSlzGlobalVersion}' + parExemptionDisplayName: 'Confidential Corp Location Exemption ${modRegulatoryCompliance.outputs.outSlzGlobalVersion}' + parDescription: 'Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.' + } +} diff --git a/orchestration/moveSubscription/moveSubscription.bicep b/orchestration/moveSubscription/moveSubscription.bicep new file mode 100644 index 00000000..e9fb9a78 --- /dev/null +++ b/orchestration/moveSubscription/moveSubscription.bicep @@ -0,0 +1,64 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This file moves the deployed subscriptions to the correct management groups. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Subscription ID for management group.') +param parManagementSubscriptionId string + +@description('Subscription ID for identity group.') +param parIdentitySubscriptionId string + +@description('Subscription ID for connectivity group.') +param parConnectivitySubscriptionId string + +var varManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}' +module modConnectivitySubscriptionPlacement '../../dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Connectivity-Subscription-Placement${parDeploymentSuffix}', 64) + scope: managementGroup(varManagementGroupId) + params: { + parTargetManagementGroupId: '${parDeploymentPrefix}-platform-connectivity${parDeploymentSuffix}' + parSubscriptionIds: [ + parConnectivitySubscriptionId + ] + parTelemetryOptOut: true + } +} + +// Move Subscription to management management group +module modManagementSubscriptionPlacement '../../dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Management-Subscription-Placement', 64) + scope: managementGroup(varManagementGroupId) + params: { + parTargetManagementGroupId: '${parDeploymentPrefix}-platform-management${parDeploymentSuffix}' + parSubscriptionIds: [ + parManagementSubscriptionId + ] + parTelemetryOptOut: true + } +} + +// Move Subscription to identity management group +module modIdentitySubscriptionPlacement '../../dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Identity-Subscription-Placement${parDeploymentSuffix}', 64) + scope: managementGroup(varManagementGroupId) + params: { + parTargetManagementGroupId: '${parDeploymentPrefix}-platform-identity${parDeploymentSuffix}' + parSubscriptionIds: [ + parIdentitySubscriptionId + ] + parTelemetryOptOut: true + } +} diff --git a/orchestration/policyExemption/policyExemption.bicep b/orchestration/policyExemption/policyExemption.bicep new file mode 100644 index 00000000..09af8d16 --- /dev/null +++ b/orchestration/policyExemption/policyExemption.bicep @@ -0,0 +1,51 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This file deploys policy exemptions to a management group. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Policy Assignment Name') +param parPolicyAssignmentName string + +@description('Policy Assignment Scope Name') +param parPolicyAssignmentScopeName string = parPolicyExemptionManagementGroup + +@description('Reference ids of Policies to be exempted') +param parPolicyDefinitionReferenceIds array + +@description('Exemption Name') +param parPolicyExemptionName string + +@description('Exemption Display Name') +param parPolicyExemptionDisplayName string + +@description('Description') +param parDescription string + +@description('Management Group for policy exemption') +param parPolicyExemptionManagementGroup string + +// Deploy policy exemptions +module modPolicyExemptions '../../modules/compliance/policyExemptions.bicep' = { + scope: managementGroup(parPolicyExemptionManagementGroup) + name: take('${parDeploymentPrefix}-policy-exemptions${parDeploymentSuffix}', 64) + params: { + parPolicyDefinitionReferenceIds: parPolicyDefinitionReferenceIds + parPolicyAssignmentName: parPolicyAssignmentName + parPolicyAssignmentScopeName: parPolicyAssignmentScopeName + parExemptionName: parPolicyExemptionName + parExemptionDisplayName: parPolicyExemptionDisplayName + parDescription: parDescription + } +} diff --git a/orchestration/policyInstallation/alz-DefaultPolicySetDefinitions.txt b/orchestration/policyInstallation/alz-DefaultPolicySetDefinitions.txt new file mode 100644 index 00000000..94e8d50b --- /dev/null +++ b/orchestration/policyInstallation/alz-DefaultPolicySetDefinitions.txt @@ -0,0 +1,1174 @@ +//This bicep file includes auto-generated code. Please dont make any changes these file manually. + +targetScope = 'managementGroup' + +@description('The management group scope to which the policy definitions are to be created at. DEFAULT VALUE = "alz"') +param parTargetManagementGroupId string = 'alz' + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) +// // DO NOT Remove This Line !!! +var varCustomPolicySetDefinitionsArray = [ +{ + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + +{ + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + +{ + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForAppServices.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCosmosDbs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCosmosDbs.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForKeyVaults.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForOssDb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlServerVirtualMachines.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForStorageAccounts' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccounts.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + +{ + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-DSCHybrid' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-DSCHybrid'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-Webhook' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-Webhook'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Cassandra' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Cassandra'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Gremlin' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Gremlin'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-MongoDB' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-MongoDB'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Table' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory-Portal' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory-Portal'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-HDInsight' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-HDInsight'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Live' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Live'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Stream' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Stream'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Migrate' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Migrate'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Monitor' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Monitor'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-File' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-File'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-Dev' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-Dev'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL-OnDemand' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL-OnDemand'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + +{ + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + +{ + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + +{ + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.APIAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables +var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsDeployPrivateDNSZonesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsDeploySqlSecurityParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsEnforceEncryptionCMKParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsEnforceEncryptTransitParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json') + +// // DO NOT Remove This Line !!! + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + name: policySet.libSetDefinition.name + properties: { + description: policySet.libSetDefinition.properties.description + displayName: policySet.libSetDefinition.properties.displayName + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] diff --git a/orchestration/policyInstallation/policyInstallation.bicep b/orchestration/policyInstallation/policyInstallation.bicep new file mode 100644 index 00000000..003ddfba --- /dev/null +++ b/orchestration/policyInstallation/policyInstallation.bicep @@ -0,0 +1,138 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: It will deploy the ALZ default policies and the SLZ default policy set definitions. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Deployment location') +@allowed([ + 'asia' + 'asiapacific' + 'australia' + 'australiacentral' + 'australiacentral2' + 'australiaeast' + 'australiasoutheast' + 'brazil' + 'brazilsouth' + 'brazilsoutheast' + 'canada' + 'canadacentral' + 'canadaeast' + 'centralindia' + 'centralus' + 'centraluseuap' + 'centralusstage' + 'eastasia' + 'eastasiastage' + 'eastus' + 'eastus2' + 'eastus2euap' + 'eastus2stage' + 'eastusstage' + 'eastusstg' + 'europe' + 'france' + 'francecentral' + 'francesouth' + 'germany' + 'germanynorth' + 'germanywestcentral' + 'global' + 'india' + 'japan' + 'japaneast' + 'japanwest' + 'jioindiacentral' + 'jioindiawest' + 'korea' + 'koreacentral' + 'koreasouth' + 'northcentralus' + 'northcentralusstage' + 'northeurope' + 'norway' + 'norwayeast' + 'norwaywest' + 'qatarcentral' + 'singapore' + 'southafrica' + 'southafricanorth' + 'southafricawest' + 'southcentralus' + 'southcentralusstage' + 'southcentralusstg' + 'southeastasia' + 'southeastasiastage' + 'southindia' + 'swedencentral' + 'switzerland' + 'switzerlandnorth' + 'switzerlandwest' + 'uae' + 'uaecentral' + 'uaenorth' + 'uk' + 'uksouth' + 'ukwest' + 'unitedstates' + 'unitedstateseuap' + 'westcentralus' + 'westeurope' + 'westindia' + 'westus' + 'westus2' + 'westus2stage' + 'westus3' + 'westusstage' +]) +param parDeploymentLocation string + +@description('Set to true to deploy ALZ default policies. DEFAULT: false') +param parDeployAlzDefaultPolicies bool = false + +@description('Timestamp with format yyyyMMddTHHmmssZ. Default value set to Execution Timestamp to avoid deployment contention.') +param parTimestamp string = utcNow() + +var varManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}' + +// Module - create alz default Policy Definitions +module modAlzDefaultPolicyDefinitions '../../dependencies/infra-as-code/bicep/modules/policy/definitions/slz-defaultandCustomPolicyDefinitions.bicep' = if (parDeployAlzDefaultPolicies) { + scope: managementGroup(varManagementGroupId) + name: take('${parDeploymentPrefix}-polDefs-${parDeploymentLocation}-${parTimestamp}${parDeploymentSuffix}', 64) +} + +// Module - create ALZ Policy Set Initiatives +module modAlzPolicySetDefinitions '../../dependencies/infra-as-code/bicep/modules/policy/definitions/alzPolicySetDefinitions.bicep' = if (parDeployAlzDefaultPolicies) { + scope: managementGroup(varManagementGroupId) + name: take('${parDeploymentPrefix}-alzPolSetDefs-${parDeploymentLocation}-${parTimestamp}${parDeploymentSuffix}', 64) + params: { + parTargetManagementGroupId: varManagementGroupId + } + dependsOn: [ + modAlzDefaultPolicyDefinitions + ] +} + +// Module - create default and custom SLZ Policy Set Initiatives +module modDefaultandCustomSlzPolicySetDefinitions '../../dependencies/infra-as-code/bicep/modules/policy/definitions/slz-defaultandCustomPolicySetDefinitions.bicep' = { + scope: managementGroup(varManagementGroupId) + name: take('${parDeploymentPrefix}-slzPolSetDefs-${parDeploymentLocation}-${parTimestamp}${parDeploymentSuffix}', 64) +} + +// Module - create default and custom SLZ Global Policy Set Initiatives +module modDefaultandCustomSlzGlobalPolicySetDefinitions '../../dependencies/infra-as-code/bicep/modules/policy/definitions/slz-defaultandCustomGlobalPolicySetDefinitions.bicep' = { + scope: managementGroup(varManagementGroupId) + name: take('${parDeploymentPrefix}-slzglobalPolSetDefs-${parDeploymentLocation}-${parTimestamp}${parDeploymentSuffix}', 64) +} diff --git a/orchestration/policyInstallation/slz-DefaultandCustomPolicyDefinitions.txt b/orchestration/policyInstallation/slz-DefaultandCustomPolicyDefinitions.txt new file mode 100644 index 00000000..0dbf1de6 --- /dev/null +++ b/orchestration/policyInstallation/slz-DefaultandCustomPolicyDefinitions.txt @@ -0,0 +1,446 @@ +//This bicep file includes auto-generated code. Please dont make any changes these file manually. + +targetScope = 'managementGroup' + +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicyDefinitionsArray = [ +// // DO NOT Remove This Line !!! +{ + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') +} +{ + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') +} +{ + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') +} +{ + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') +} +{ + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') +} +{ + name: 'Audit-MachineLearning-PrivateEndpointId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') +} +{ + name: 'Deny-AA-child-resources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') +} +{ + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') +} +{ + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') +} +{ + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') +} +{ + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') +} +{ + name: 'Deny-Databricks-NoPublicIp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') +} +{ + name: 'Deny-Databricks-Sku' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') +} +{ + name: 'Deny-Databricks-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') +} +{ + name: 'Deny-MachineLearning-Aks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') +} +{ + name: 'Deny-MachineLearning-Compute-SubnetId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') +} +{ + name: 'Deny-MachineLearning-Compute-VmSize' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') +} +{ + name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') +} +{ + name: 'Deny-MachineLearning-ComputeCluster-Scale' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') +} +{ + name: 'Deny-MachineLearning-HbiWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') +} +{ + name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') +} +{ + name: 'Deny-MachineLearning-PublicNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') +} +{ + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') +} +{ + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') +} +{ + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') +} +{ + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') +} +{ + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') +} +{ + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') +} +{ + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') +} +{ + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') +} +{ + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') +} +{ + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') +} +{ + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') +} +{ + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') +} +{ + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') +} +{ + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') +} +{ + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') +} +{ + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') +} +{ + name: 'Deploy-Budget' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') +} +{ + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') +} +{ + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') +} +{ + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') +} +{ + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') +} +{ + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') +} +{ + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') +} +{ + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') +} +{ + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') +} +{ + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') +} +{ + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') +} +{ + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') +} +{ + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') +} +{ + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') +} +{ + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') +} +{ + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') +} +{ + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') +} +{ + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') +} +{ + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') +} +{ + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') +} +{ + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') +} +{ + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') +} +{ + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') +} +{ + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') +} +{ + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') +} +{ + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') +} +{ + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') +} +{ + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') +} +{ + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') +} +{ + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') +} +{ + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') +} +{ + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') +} +{ + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') +} +{ + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') +} +{ + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') +} +{ + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') +} +{ + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') +} +{ + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') +} +{ + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') +} +{ + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') +} +{ + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') +} +{ + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') +} +{ + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') +} +{ + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') +} +{ + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') +} +{ + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') +} +{ + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') +} +{ + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') +} +{ + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') +} +{ + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') +} +{ + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') +} +{ + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') +} +{ + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') +} +{ + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') +} +{ + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') +} +{ + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') +} +{ + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') +} +{ + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') +} +{ + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') +} +{ + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') +} +{ + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') +} +{ + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') +} +{ + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') +} +{ + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') +} +{ + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') +} +{ + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') +} +{ + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') +} +{ + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') +} +// // DO NOT Remove This Line !!! +] + +resource resPolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2021-06-01' = [for policy in varCustomPolicyDefinitionsArray: { + name: policy.libDefinition.name + properties: { + description: policy.libDefinition.properties.description + displayName: policy.libDefinition.properties.displayName + metadata: policy.libDefinition.properties.metadata + mode: policy.libDefinition.properties.mode + parameters: policy.libDefinition.properties.parameters + policyType: policy.libDefinition.properties.policyType + policyRule: policy.libDefinition.properties.policyRule + } +}] diff --git a/orchestration/policyInstallation/slz-DefaultandCustomSLZGlobalPolicySetDefinitions.txt b/orchestration/policyInstallation/slz-DefaultandCustomSLZGlobalPolicySetDefinitions.txt new file mode 100644 index 00000000..51c6452c --- /dev/null +++ b/orchestration/policyInstallation/slz-DefaultandCustomSLZGlobalPolicySetDefinitions.txt @@ -0,0 +1,55 @@ +//This bicep file includes auto-generated code. Please dont make any changes these file manually. + +targetScope = 'managementGroup' + +// // DO NOT Remove This Line !!! +var varCustomPolicySetDefinitionsArray = [ +{ + name: 'SlzGlobalPolicies' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/slzGlobalDefaults.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AllowedLocations' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + definitionParameters: varSlzGlobalDefaultsParameters.AllowedLocations.parameters + definitionGroups: ['dashboard-Data Residency'] + } + { + definitionReferenceId: 'AllowedLocationsForResourceGroups' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + definitionParameters: varSlzGlobalDefaultsParameters.AllowedLocationsForResourceGroups.parameters + definitionGroups: ['dashboard-Data Residency'] + } + { + definitionReferenceId: 'Azure Cosmos DB allowed locations_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684' + definitionParameters: varSlzGlobalDefaultsParameters['Azure Cosmos DB allowed locations_1'].parameters + definitionGroups: ['dashboard-Data Residency'] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables + +var varSlzGlobalDefaultsParameters = loadJsonContent('lib/policy_set_definitions/slzGlobalDefaults.parameters.json') + +// // DO NOT Remove This Line !!! + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + name: '${policySet.libSetDefinition.name}.v${policySet.libSetDefinition.properties.metadata.version}' + properties: { + description: '${policySet.libSetDefinition.properties.description} v${policySet.libSetDefinition.properties.metadata.version}' + displayName: '${policySet.libSetDefinition.properties.displayName} v${policySet.libSetDefinition.properties.metadata.version}' + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] diff --git a/orchestration/policyInstallation/slz-DefaultandCustomSLZPolicySetDefinitions.txt b/orchestration/policyInstallation/slz-DefaultandCustomSLZPolicySetDefinitions.txt new file mode 100644 index 00000000..3c0222a2 --- /dev/null +++ b/orchestration/policyInstallation/slz-DefaultandCustomSLZPolicySetDefinitions.txt @@ -0,0 +1,143 @@ +//This bicep file includes auto-generated code. Please dont make any changes these file manually. + +targetScope = 'managementGroup' + +/* reserved customer usage attribution +@description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false +*/ + +// // DO NOT Remove This Line !!! +var varCustomPolicySetDefinitionsArray = [ +{ + name: 'SlzConfidentialPolicies' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/slzConfidentialDefaults.json') + libSetChildDefinitions: [ + { + definitionReferenceId: '[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup dat_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671' + definitionParameters: varSlzConfidentialDefaultsParameters['[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup dat_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'Allowed resource types' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c' + definitionParameters: varSlzConfidentialDefaultsParameters['Allowed resource types'].parameters + definitionGroups: ['dashboard-Confidential Computing'] + } + { + definitionReferenceId: 'Allowed virtual machine size SKUs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3' + definitionParameters: varSlzConfidentialDefaultsParameters['Allowed virtual machine size SKUs'].parameters + definitionGroups: ['dashboard-Confidential Computing'] + } + { + definitionReferenceId: 'AllowedLocations' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + definitionParameters: varSlzConfidentialDefaultsParameters.AllowedLocations.parameters + definitionGroups: ['dashboard-Data Residency'] + } + { + definitionReferenceId: 'AllowedLocationsForResourceGroups' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + definitionParameters: varSlzConfidentialDefaultsParameters.AllowedLocationsForResourceGroups.parameters + definitionGroups: ['dashboard-Data Residency'] + } + { + definitionReferenceId: 'Azure Cosmos DB allowed locations_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684' + definitionParameters: varSlzConfidentialDefaultsParameters['Azure Cosmos DB allowed locations_1'].parameters + definitionGroups: ['dashboard-Data Residency'] + } + { + definitionReferenceId: 'Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by cu_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varSlzConfidentialDefaultsParameters['Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by cu_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'HPC Cache accounts should use customer-managed key for encryption_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb' + definitionParameters: varSlzConfidentialDefaultsParameters['HPC Cache accounts should use customer-managed key for encryption_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'Managed disks should be double encrypted with both platform-managed and customer-managed keys_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816' + definitionParameters: varSlzConfidentialDefaultsParameters['Managed disks should be double encrypted with both platform-managed and customer-managed keys_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'MySQL servers should use customer-managed keys to encrypt data at rest_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varSlzConfidentialDefaultsParameters['MySQL servers should use customer-managed keys to encrypt data at rest_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'PostgreSQL servers should use customer-managed keys to encrypt data at rest_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varSlzConfidentialDefaultsParameters['PostgreSQL servers should use customer-managed keys to encrypt data at rest_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'Queue Storage should use customer-managed key for encryption_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef' + definitionParameters: varSlzConfidentialDefaultsParameters['Queue Storage should use customer-managed key for encryption_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'SQL managed instances should use customer-managed keys to encrypt data at rest_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2' + definitionParameters: varSlzConfidentialDefaultsParameters['SQL managed instances should use customer-managed keys to encrypt data at rest_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'SQL servers should use customer-managed keys to encrypt data at rest_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8' + definitionParameters: varSlzConfidentialDefaultsParameters['SQL servers should use customer-managed keys to encrypt data at rest_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'Storage account encryption scopes should use customer-managed keys to encrypt data at rest_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8' + definitionParameters: varSlzConfidentialDefaultsParameters['Storage account encryption scopes should use customer-managed keys to encrypt data at rest_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'Storage accounts should use customer-managed key for encryption_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varSlzConfidentialDefaultsParameters['Storage accounts should use customer-managed key for encryption_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + { + definitionReferenceId: 'Table Storage should use customer-managed key for encryption_1' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688' + definitionParameters: varSlzConfidentialDefaultsParameters['Table Storage should use customer-managed key for encryption_1'].parameters + definitionGroups: ['dashboard-Key Management'] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables +var varSlzConfidentialDefaultsParameters = loadJsonContent('lib/policy_set_definitions/slzConfidentialDefaults.parameters.json') + +// // DO NOT Remove This Line !!! + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + name: '${policySet.libSetDefinition.name}.v${policySet.libSetDefinition.properties.metadata.version}' + properties: { + description: '${policySet.libSetDefinition.properties.description} v${policySet.libSetDefinition.properties.metadata.version}' + displayName: '${policySet.libSetDefinition.properties.displayName} v${policySet.libSetDefinition.properties.metadata.version}' + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] diff --git a/orchestration/policyRemediation/policyRemediation.bicep b/orchestration/policyRemediation/policyRemediation.bicep new file mode 100644 index 00000000..8337272a --- /dev/null +++ b/orchestration/policyRemediation/policyRemediation.bicep @@ -0,0 +1,39 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This file will deploy a policy remediation to a management group. + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Remediation Name.') +param parPolicyRemediationName string + +@description('Policy Assignment Id.') +param parPolicyAssignmentId string + +@description('Reference ids of policy to be remediated.') +param parPolicyDefinitionReferenceId string + +@description('Policy assignment scope.') +param parManagementGroupScope string + +// Deploy the policy remediation +module modPolicyRemediation '../../modules/compliance/policyRemediation.bicep' = { + scope: managementGroup(parManagementGroupScope) + name: take('${parDeploymentPrefix}-${parPolicyRemediationName}${parDeploymentSuffix}', 64) + params: { + parPolicyRemediationName: parPolicyRemediationName + parPolicyAssignmentId: parPolicyAssignmentId + parPolicyDefinitionReferenceId: parPolicyDefinitionReferenceId + } +} diff --git a/orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1 b/orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1 new file mode 100644 index 00000000..2c622741 --- /dev/null +++ b/orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1 @@ -0,0 +1,220 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +SUMMARY: This PowerShell script executes the below list of prerequisite checks to confirm before execution of the New-SovereignLandingZone.ps1 + +- Verify PowerShell Verion +- Verify Azure PowerShell version +- Verify Azure CLI version +- Update Bicep version +- Check the user executing has the owner permission on the root ("/") scope of the tenant and assign root ("/") permission if the user is missing the same + +AUTHOR/S: Cloud for Sovereignty +#> + +param ( + $parIsSLZDeployedAtTenantRoot = $true +) + +$varSignedInUser = $null; + +function Confirm-PowerShellVersion { + <# + + .SYNOPSIS + This function checks the current version of PowerShell and prompts the user to install the latest version if the current version is not compatible with the script. + .EXAMPLE + Confirm-PowerShellVersion + .EXAMPLE + Confirm-PowerShellVersion -varMajorVersion 7 -varMinorVersion 1 + .PARAMETER varMajorVersion + The major version of PowerShell to check for + .PARAMETER varMinorVersion + The minor version of PowerShell to check for + + #> + param( + [Parameter(Mandatory = $false)] + [int]$parMajorVersion = 7, + + [Parameter(Mandatory = $false)] + [int]$parMinorVersion = 0 + ) + $varVersion = $PSVersionTable.PSVersion + Write-Information "`n>>> Checking if the current version of PowerShell $varVersion is compatible with the script- " -InformationAction Continue + + if ($varVersion.Major -eq $parMajorVersion -and $varVersion.Minor -ge $parMinorVersion) { + Write-Information "The installed version of PowerShell is compatible with the script." -InformationAction Continue + return $true + } + else { + Write-Error "The installed version of PowerShell $varVersion is not compatible with the script. Please upgrade to the latest version ($parMajorVersion.$parMinorVersion or above) by using the command 'winget install --id Microsoft.Powershell --source winget' or follow this documentation : https://aka.ms/install-powershell." -ErrorAction Continue + return $false + } +} + +#reference to individual scripts +. ".\Invoke-Helper.ps1" + +function Confirm-AZPSVersion { + <# + + .SYNOPSIS + This function checks the current version of Azure PowerShell module and prompts the user to install the latest version if the current version is not compatible with the script. + .EXAMPLE + Confirm-AZPSVersion + .EXAMPLE + Confirm-AZPSVersion -varMajorVersion 10 + .PARAMETER varMajorVersion + The major version of Azure PowerShell module to check for + + #> + param( + [Parameter(Mandatory = $false)] + [int]$parMajorVersion = 10 + ) + Write-Information "`n>>> Checking the current verison of azure powershell installed..." -InformationAction Continue + try { + $varAzpsVersion = (Get-InstalledModule -Name Az).Version + } + catch { + Write-Error "Install the latest version of Azure AZ PowerShell ($parMajorVersion.0 or above) by running this command 'Install-Module -Name Az -AllowClobber -Force'" -ErrorAction Continue + return $false + } + $varCompatibleVersionInstalled = [Version]$varAzpsVersion -ge [Version]"$parMajorVersion.0.0" + if ($varCompatibleVersionInstalled) { + Write-Information "The installed version of Azure AZ PowerShell module is compatible with the script." -InformationAction Continue + return $true + } + else { + Write-Error "The installed version of Azure AZ PowerShell module ($varAzpsVersion) is not compatible with the script. Please upgrade to the latest version ($parMajorVersion.0 or above) by running this command 'Install-Module -Name Az -AllowClobber -Force'" -ErrorAction Continue + return $false + } +} + +function Confirm-AZCLIVersion { + <# + .SYNOPSIS + This function checks the current version of Azure CLI and prompts the user to install the latest version if the current version is not compatible with the script. + .EXAMPLE + Confirm-AZCLIVersion + .EXAMPLE + Confirm-AZCLIVersion -varMajorVersion 2 -varMinorVersion 40 + .PARAMETER varMajorVersion + The major version of Azure CLI to check for + .PARAMETER varMinorVersion + The minor version of Azure CLI to check for + #> + param( + [Parameter(Mandatory = $false)] + [int]$parMajorVersion = 2, + + [Parameter(Mandatory = $false)] + [int]$parMinorVersion = 51 + ) + Write-Information "`n>>> Checking the current verison of azure cli installed - " -InformationAction Continue + if (Get-Command "az" -errorAction SilentlyContinue) { + $varAzVersion = ((az version -o tsv) -split "\t")[0] -split "\." + $varCompatibleVersionInstalled = $varAzVersion[0] -eq $parMajorVersion -and $varAzVersion[1] -ge $parMinorVersion + if ($varCompatibleVersionInstalled) { + Write-Information "The installed version of Azure CLI is compatible with the script." -InformationAction Continue + return $true + } + } + Write-Error "The installed version of Azure CLI $varAzVersion is not compatible with the script. Please upgrade to the latest version of Azure CLI ($parMajorVersion.$parMinorVersion or above) by following the steps in the link - https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest." -ErrorAction Continue + return $false +} + +function Confirm-BicepVersion { + <# + .SYNOPSIS + This function checks the current version of Bicep and prompts the user to install the latest version + .EXAMPLE + Confirm-BicepVersion + #> + param( + [Parameter(Mandatory = $false)] + [int]$parMajorVersion = 0, + + [Parameter(Mandatory = $false)] + [int]$parMinorVersion = 20 + ) + Write-Information "`n>>> Checking the current verison of Bicep installed - " -InformationAction Continue + $varCurrentBicepVersion = $null + try { + $varCurrentBicepVersion = ((bicep --version) -split " ")[3] + } + catch { + $varCurrentBicepVersion = $null + } + + if (($varCurrentBicepVersion -ne "") -and ($null -ne $varCurrentBicepVersion)) { + ##when bicep version command is run, platform already prints the latest version of the Bicep, so no need to print it again + $varCompatibleVersionInstalled = [Version]$varCurrentBicepVersion -ge [Version]"$parMajorVersion.$parMinorVersion.0" + if ($varCompatibleVersionInstalled) { + Write-Information "The installed version of Bicep is latest." -InformationAction Continue + return $true + } + else { + Write-Error "Current version of Bicep $varCurrentBicepVersion is not compatible with script. To upgrade to the latest version ($parMajorVersion.$parMinorVersion or above), please use this command 'winget install -e --id Microsoft.Bicep --source winget' " -ErrorAction Continue + return $false + } + } + else { + Write-Error "Bicep is not installed. To install to the latest version $varLatestAvailableBicepVersion please use this command 'winget install -e --id Microsoft.Bicep --source winget'. Note: If unable to update the bicep, uninstall the current version and retry installation command" -ErrorAction Continue + return $false + } +} + +<# + .SYNOPSIS + This function Confirm the pre-requisites for the SLZ to be executed + .EXAMPLE + Confirm-SLZ-PreRequisites +#> +function Confirm-SLZ-PreRequisites { + $varPsVersionCompatible = Confirm-PowerShellVersion + $varAzPsVersionCompatible = Confirm-AZPSVersion + $varAzCliVersionCompatible = Confirm-AZCLIVersion + $varBicepVersionCompatible = Confirm-BicepVersion + + if ($varPsVersionCompatible -eq $false -or $varAzPsVersionCompatible -eq $false -or $varAzCliVersionCompatible -eq $false -or $varBicepVersionCompatible -eq $false) { + Write-Error "After installing missing dependencies, please restart PowerShell and try again" -ErrorAction Stop + } + + $varSignedInUser = Get-SignedInUser + + # if user is not signed in trigger login + if ($null -eq $varSignedInUser) { + Enter-Login + $varSignedInUser = Get-SignedInUser + } + if ($parIsSLZDeployedAtTenantRoot) { + # check user elevated at root scope + $varUserElevated = Confirm-UserElevated + + # if user is not elevated at root scope. + if ($varUserElevated -ne $true) { + Set-UserElevatePermissions + Invoke-UserPermissionsConfirmation "Elevate" + } + + # check owner permissions of the user + $varUserhasOwnerPermissions = Confirm-UserOwnerPermission + + # if user does not have owner permissions. + if ($varUserhasOwnerPermissions -ne $true) { + Set-UserOwnerPermission + Invoke-UserPermissionsConfirmation "Owner" + } + + Write-Information "`n>>> Signed in user: $varSignedInUser has the necessary permissions." -InformationAction Continue + } +} + +try { + Confirm-SLZ-PreRequisites +} +catch { + Write-Error $_ -ErrorAction Stop +} diff --git a/orchestration/scripts/Invoke-Helper.ps1 b/orchestration/scripts/Invoke-Helper.ps1 new file mode 100644 index 00000000..a2bdab9e --- /dev/null +++ b/orchestration/scripts/Invoke-Helper.ps1 @@ -0,0 +1,920 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script contains definitions of helper functions to be used across all the deployment scripts. +#> + +#variables +$varMoveSubscriptionBicepFilePath = '..\moveSubscription\moveSubscription.bicep' +$varAzPortalLink = 'https://portal.azure.com' +$varDonotRetryErrorCodes = New-Object Collections.Generic.List[String] +$vartimeStamp = Get-Date -Format "yyyyMMddTHHmmssffff" +$varTenantDeployment = 'tenant' +$varManagementGroupDeployment = 'managementGroup' +$varParameters = @{} + +#variables to support incremental delay for azure resource validation checks (All time in seconds) +$varMaxWaitTimeResourceExistsCheck = 1800 +$varStartIntervalResourceExistsCheck = 5 +$varMaxIntervalResourceExistsCheck = 60 +$varIntervalMultiplierResourceExistsCheck = 5 +#variables to support retry for known transient errors +$varMaxRetryAttemptTransientErrorRetry = 6 +$varRetryWaitTimeTransientErrorRetry = 60 +$varReservedIpAddressRange = @( + "224.0.0.0/4", + "255.255.255.255/32", + "127.0.0.0/8", + "169.254.0.0/16", + "168.63.129.16/32", + "192.168.1.0", + "192.168.1.1", + "192.168.1.2", + "192.168.1.3", + "192.168.1.255" +) + + +<# +.Description + Login to Azure portal +#> +function Enter-Login { + Write-Information ">>> Initiating a login" -InformationAction Continue + Connect-AzAccount +} + +<# +.Description + Get details of user +#> +function Get-SignedInUser { + + $varSignedInUserDetails = Get-AzADUser -SignedIn + if (!$varSignedInUserDetails) { + Write-Information ">>> No logged in user found." -InformationAction Continue + } + else { + return $varSignedInUserDetails.UserPrincipalName + } + + return $null +} + +<# +.Description + Confirm the user is owner at the root scope +#> +function Confirm-UserOwnerPermission { + if ($null -ne $varSignedInUser) { + + Write-Information "`n>>> Checking the owner permissions for user: $varSignedInUser at '/' scope" -InformationAction Continue + $varRetrieveOwnerPermissions = Get-AzRoleAssignment ` + -SignInName $varSignedInUser ` + -Scope "/" ` + -RoleDefinitionName "Owner" + + if ($varRetrieveOwnerPermissions.RoleDefinitionName -ne "Owner") { + Write-Information "Signed in user: $varSignedInUser does not have owner permission to the root '/' scope." -InformationAction Continue + return $false + } + else { + Write-Information "Signed in user: $varSignedInUser has owner permissions at the root '/' scope." -InformationAction Continue + } + return $true + } + else { + Write-Error "Logged in user details are empty." -ErrorAction Stop + } +} + +<# +.Description + Assigns the user with Owner permissions at the root scope +#> +function Set-UserOwnerPermission { + Write-Information ">>> Assigning user with Owner permissions." -InformationAction Continue + + # Assign "Owner" role to the signed-in user at the root scope "/" + New-AzRoleAssignment ` + -SignInName $varSignedInUser ` + -Scope "/" ` + -RoleDefinitionName "Owner" +} + +<# +.Description + Confirm the user is elevated at the root scope. +#> +function Confirm-UserElevated { + if ($null -ne $varSignedInUser) { + + Write-Information "`n>>> Checking user $varSignedInUser is elevated at '/' scope" -InformationAction Continue + $varRetrieveUAAPermissions = Get-AzRoleAssignment ` + -SignInName $varSignedInUser ` + -Scope "/" ` + -RoleDefinitionName "User Access Administrator" + + if ($varRetrieveUAAPermissions.RoleDefinitionName -ne "User Access Administrator") { + Write-Information "Signed in user: $varSignedInUser is not elevated at '/' scope" -InformationAction Continue + return $false + } + + Write-Information "Signed in user: $varSignedInUser is elevated at '/' scope" -InformationAction Continue + return $true + } + else { + Write-Error "Logged in user details are empty." -ErrorAction Stop + } +} +<# +.Description + Assigns the user with User Access Administrator permissions at the root scope +#> +function Set-UserElevatePermissions { + Write-Information ">>> Elevating user at root scope." -InformationAction Continue + + # Elevate access to all Azure Resources for a Global Administrator + Invoke-AzRestMethod -Method Post -Uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" +} + +<# +.Description + Confirm the user is elevated at the root scope. +#> +function Invoke-UserPermissionsConfirmation { + param($parPermissionType) + Write-Information "`n>>> Confirming user's permissions. This might trigger an auto log out and require the user to login back in a few times" -InformationAction Continue + + $varUserPermissionsElevated = $false + $varWaitTime = 10 + $varLoopCounter = 0 + + while ($varTotalWaitTime -lt $varMaxWaitTimeResourceExistsCheck -and $varUserPermissionsElevated -eq $false) { + try { + # Log out to refresh the session + Get-AzContext | Remove-AzContext -Confirm:$false + Connect-AzAccount + + if ($parPermissionType -eq "Owner") { + # check owner permissions of the user + $varUserPermissionsElevated = Confirm-UserOwnerPermission + } + elseif ($parPermissionType -eq "Elevate") { + # check user elevated at root scope + $varUserPermissionsElevated = Confirm-UserElevated + } + + if ($varUserPermissionsElevated -ne $true) { + Write-Information ">>> Checking the permissions after waiting for $varWaitTime secs. Please ensure that you are logged into the appropriate tenant and did not log in to a different tenant during the script execution." -InformationAction Continue + $varLoopCounter++ + $varWaitTime = New-IncrementalDelay $varWaitTime $varLoopCounter + $varTotalWaitTime += $varWaitTime + Start-Sleep -Seconds $varWaitTime + } + } + catch { + $_.Exception + Write-Information ">>> Retrying after waiting for $varWaitTime secs. To stop the retry press Ctrl+C." -InformationAction Continue + $varLoopCounter++ + $varWaitTime = New-IncrementalDelay $varWaitTime $varLoopCounter + $varTotalWaitTime += $varWaitTime + Start-Sleep -Seconds $varWaitTime + } + } +} + +<# +.Description + Retrieves the error details on failure of deployment from azure +#> +function Get-FailedDeploymentErrorCodes { + param($parManagementGroupId, $parDeploymentName, $parDeploymentScope) + + $varErrorCodeList = New-Object Collections.Generic.List[String] + if ($parDeploymentScope -eq $varTenantDeployment) { + $varDeploymentError = Get-AzTenantDeploymentOperation ` + -DeploymentName $parDeploymentName | Where-Object { $_.ProvisioningState -eq "Failed" } + } + else { + $varDeploymentError = Get-AzManagementGroupDeploymentOperation ` + -ManagementGroupId $parManagementGroupId ` + -DeploymentName $parDeploymentName | Where-Object { $_.ProvisioningState -eq "Failed" } + } + + if ($null -ne $varDeploymentError) { + if ($varDeploymentError.GetType().IsArray -and $varDeploymentError.count -gt 0) { + foreach ($error in $varDeploymentError) { + $varErrorDetails = $error.StatusMessage + if ($varErrorDetails) { + $varErrorCode = Get-ErrorCode $varErrorDetails + # add to the list if the error code is not null and does not exists already + if ($null -ne $varErrorCode -and !($varErrorCodeList -Contains $varErrorCode)) { + $varErrorCodeList.Add($varErrorCode) + } + } + } + } + else { + $varErrorDetails = $varDeploymentError.StatusMessage + if ($varErrorDetails) { + $varErrorCode = Get-ErrorCode $varErrorDetails + # add to the list if the error code is not null and does not exists already + if ($null -ne $varErrorCode -and !($varErrorCodeList -Contains $varErrorCode)) { + $varErrorCodeList.Add($varErrorCode) + } + } + } + } + else { + return $null + } + return $varErrorCodeList +} + +<# +.Description + Checks whether a transient error or not +#> +function Confirm-Retry { + param ($parDeploymentErrorCodes) + + $varRetry = $true + + foreach ($varErrorCode in $parDeploymentErrorCodes) { + if ($varDonotRetryErrorCodes -contains $varErrorCode) { + $varRetry = $false + break + } + } + return $varRetry +} + +<# +.Description + Converts the object to array +#> +function Convert-ToArray { + param ($parObjectToConvert) + if ($null -eq $parObjectToConvert -or $parObjectToConvert.Length -eq "0") { + return @() + } + + $varObjArray = @() + foreach ($varObject in $parObjectToConvert) { + $varMap = @{} + $varObject.psobject.properties | ForEach-Object { $varMap[$_.Name] = $_.Value } + $varObjArray += $varMap + } + + return , $varObjArray +} + +<# +.Description + Converts the object to a hash table +#> +function Convert-ToHashTable { + param ($parObjectToConvert) + if ($null -eq $parObjectToConvert) { + return @{} + } + + $varHashTable = @{} + $parObjectToConvert.PSObject.properties | ForEach-Object { $varHashTable[$_.Name] = $_.Value } + + return $varHashTable +} + +<# +.Description + Moves the Subscriptions from root management group to platform +#> +function Move-Subscription { + param($parParameters, $modDeployBootstrapOutputs) + + if ($modDeployBootstrapOutputs) { + $varConnectivitySubscriptionId = $modDeployBootstrapOutputs.outputs.outConnectivitySubscriptionId.value + $varIdentitySubscriptionId = $modDeployBootstrapOutputs.outputs.outIdentitySubscriptionId.value + $varManagementSubscriptionId = $modDeployBootstrapOutputs.outputs.outManagementSubscriptionId.value + } + else { + $varConnectivitySubscriptionId = $parParameters.parConnectivitySubscriptionId.value + $varIdentitySubscriptionId = $parParameters.parIdentitySubscriptionId.value + $varManagementSubscriptionId = $parParameters.parManagementSubscriptionId.value + } + + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $parameters = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parConnectivitySubscriptionId = $varConnectivitySubscriptionId + parIdentitySubscriptionId = $varIdentitySubscriptionId + parManagementSubscriptionId = $varManagementSubscriptionId + } + $varDeploymentName = "deploy-move-$vartimeStamp" + $varLoopCounter = 0 + $varRetry = $true + + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + try { + Write-Information ">>> Move subscription started" -InformationAction Continue + + $modMoveSubscription = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -ManagementGroupId $varManagementGroupId ` + -Location $parDeploymentLocation ` + -TemplateFile $varMoveSubscriptionBicepFilePath ` + -TemplateParameterObject $parameters ` + -WarningAction Ignore + + if (!$modMoveSubscription) { + $varRetry = $false + Write-Error "Error while executing move subscription" -ErrorAction Stop + } + + Write-Information ">>> Move subscription completed`n" -InformationAction Continue + return; + } + catch { + if (!$varRetry) { + Write-Error ">>> Error occurred during execution. Please try after addressing the above error." -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in move subscription deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} + +<# +.Description + Caclulates and returns the number of seconds to wait +#> +function New-IncrementalDelay { + param($parDelay, $parDelayIterator) + $parDelay = $parDelay + ($parDelayIterator * $varIntervalMultiplierResourceExistsCheck) + if ($parDelay -ge $varMaxIntervalResourceExistsCheck) { + $parDelay = $varMaxIntervalResourceExistsCheck + } + return $parDelay +} + +<# +.Description + Load all the errors from the json file in a hashtable +#> +function Get-DonotRetryErrorCodes { + param () + $varErrorFile = Get-Content -Path '../const/doNotRetryErrorCodes.json' | ConvertFrom-Json + $varErrorFile.errorCodes | ForEach-Object { + $varDonotRetryErrorCodes.add($_.code) + } +} +<# +.Description + Retrieves the error code on failure of deployment from json object +#> +function Get-ErrorCode { + param ($parErrorString) + + $varLastIndexOfCode = $parErrorString.LastIndexOf("(Code:") + + # Find the position of the closing parenthesis after "Code:" + $varClosingParenthesisIndex = $parErrorString.IndexOf(")", $varLastIndexOfCode) + + # Extract the value of 'Code' + $varErrorCode = $parErrorString.Substring($varLastIndexOfCode + 6, $varClosingParenthesisIndex - $varLastIndexOfCode - 6).Trim() + + return $varErrorCode +} + +<# +.Description + Checks the required parameters are passed based on the deployment +#> +function Confirm-Parameters($parParameters) { + $varMissingParameters = New-Object Collections.Generic.List[String] + $varArrayParameters = @("parAllowedLocations", "parAllowedLocationsForConfidentialComputing", "parPolicyDefinitionReferenceIds") + Foreach ($varParameter in $parParameters) { + if ($varParameter -in $varArrayParameters -and $varParameters.$varParameter.value.count -eq 0) { + if (!$parAttendedLogin) { + $varMissingParameters.add($varParameter) + } + else { + [string[]] $varArray = @() + $varArray = Read-Host "Please enter the list of $varParameter with a comma between each" + if ($varArray[0] -eq "") { + Write-Error "$varParameter value not found" -ErrorAction Stop + } + $varParameters.$varParameter.value = $varArray.Split(',') + } + } + elseif (($null -eq $varParameters.$varParameter.value) -or [string]::IsNullOrEmpty($varParameters.$varParameter.value) -or ($varParameters.$varParameter.value -eq "{}")) { + $varParameters.$varParameter.value = $null + if (!$parAttendedLogin) { + $varMissingParameters.add($varParameter) + } + else { + $varParameters.$varParameter.value = $(Read-Host -prompt "Please provide the value for $varParameter") + if ($varParameters.$varParameter.value -eq "") { + Write-Error "$varParameter value not found" -ErrorAction Stop + } + } + } + elseif ($varParameters.$varParameter.value.count -gt 1) { + $varValue = $varParameters.$varParameter.value + if ($varValue -is [array]) { + foreach ($val in $varValue) { + $result = Confirm-ObjectType($val) + if ($result -eq $false) { + $varMissingParameters.add($varParameter) + } + } + } + elseif ($varValue -is [object]) { + $result = Confirm-ObjectType($varValue) + if ($result -eq $false) { + $varMissingParameters.add($varParameter) + } + } + elseif (($null -eq $varValue) -or [string]::IsNullOrEmpty($varValue) -or ($varValue -eq "{}")) { + $varParameters.$varParameter.value = $null + return $false + } + } + } + if ($varMissingParameters.count -gt 0) { + Write-Error "Following parameters are missing : $varMissingParameters" -ErrorAction Stop + } + + # Check Gateway subnet is in the reserved Ip address list. + $varGatewaySubnet = $parParameters.parGatewaySubnet.value + $varIsGatewayReservedIpAddress = Confirm-IPAddressIsReserved($varGatewaySubnet) + if (($null -ne $varGatewaySubnet) -and ($true -eq $varIsGatewayReservedIpAddress)) { + Show-IpAddressError("The Gatewary Subnet Ip", $varGatewaySubnet) + } + + # Check Azure Firewall Subnet is in the reserved Ip address list. + $varAzureFirewallSubnet = $parParameters.parAzureFirewallSubnet.value + $varIsFirewallReservedIpAddress = Confirm-IPAddressIsReserved($varAzureFirewallSubnet) + if (($null -ne $varAzureFirewallSubnet) -and ($true -eq $varIsFirewallReservedIpAddress)) { + Show-IpAddressError("The Azure Firewall Subnet Ip", $varAzureFirewallSubnet) + } +} + +<# +.Description + Show Ip Address error which is in reserved Ip Address range list. +#> +function Show-IpAddressError($parMessage, $parIp) { + Write-Information "$parMessage $parIp is in the reserved IP address list:" -InformationAction Continue + foreach ($varIp in $varReservedIpAddressRange) { + Write-Information $varIp -InformationAction Continue + } + + Write-Error "Please do not use reserved IP addresses. Update parameters and try again." -ErrorAction Stop +} + +<# +.Description + Checks/confirms whether the value of Ip Address range is in reserved Ip Address range list. +#> +function Confirm-IPAddressIsReserved($parIp) { + if ($null -eq $parIp) { + return $false + } + + Foreach ($varReservedIpAddress in $varReservedIpAddressRange) { + try { + # Parse the IP address and subnet + $varReservedIp = [IPAddress]::Parse($varReservedIpAddress.Split("/")[0]) + $varReservedIpRange = $varReservedIpAddress.Split("/")[1] + $varIp = [IPAddress]::Parse($parIp.Split("/")[0]) + $varIpRange = $parIp.Split("/")[1] + + # Check if the IP address falls within the reserved IP address + $varIsReservedIp = (($varReservedIp.Address -eq $varIp.Address) -and ($varReservedIpRange -eq $varIpRange)) + + if ($varIsReservedIp) { + return $true + } + } + catch { + Write-Error $_ -ErrorAction Stop + } + } + + return $false +} + +<# +.Description + Checks the required Object type parameters are passed based on the deployment. +#> +function Confirm-ObjectType($parParameter) { + if (($null -eq $parParameter)) { + return $false + } + + $varMembers = $parParameter.PSObject.Properties | Select-Object Name, Value + foreach ($varMember in $varMembers) { + if (($null -eq $varMember.value) -or [string]::IsNullOrEmpty($varMember.value) -or ($varMember.value -eq "")) { + return $false + } + } + + return $true +} + +<# +.Description + Checks that the policy sets are available before assigning +#> +function Confirm-PolicySetExists { + param ($parManagementGroupId, $parPolicySetType) + + if ($parPolicySetType -eq 'custom') { + $varPolicySetsPath = "../../custom/policies/definitions" + } + else { + $varPolicySetsPath = "../../modules/compliance/policySetDefinitions" + } + + $varLoopCounter = 0 + $varWaitTime = $varStartIntervalResourceExistsCheck + $varTotalWaitTime = 0 + + while ($varTotalWaitTime -lt $varMaxWaitTimeResourceExistsCheck) { + try { + Get-ChildItem -Recurse -Path "$varPolicySetsPath" -Filter "*.json" | ForEach-Object { + + $varPolicyDef = Get-Content $_.PSPath | ConvertFrom-Json -Depth 100 + + if (($varPolicyDef.properties.policyDefinitions).Count -ne 0) { + $parPolicyName = $varPolicyDef.name + ".v" + $varPolicyDef.properties.metadata.version + + $varPolicySet = Get-AzPolicySetDefinition -Name $parPolicyName -ManagementGroupName $parManagementGroupId + if (!$varPolicySet) { + Write-Error "$parPolicyName policy set not found." -ErrorAction stop + } + } + } + + Write-Information ">>> All required policy sets were found." -InformationAction Continue + return $true + } + catch { + $varLoopCounter++ + $varWaitTime = New-IncrementalDelay $varWaitTime $varLoopCounter + Write-Information ">>> Searching for the required policy sets after waiting for $varWaitTime seconds." -InformationAction Continue + $varTotalWaitTime += $varWaitTime + Start-Sleep -Seconds $varWaitTime + } + } + + return $false +} + +<# +.Description + Checks whether subscriptions are created or not. +#> +function Confirm-SubscriptionsExists() { + param($parConnectivitySubscriptionId, $parIdentitySubscriptionId, $parManagementSubscriptionId) + $varLoopCounter = 0 + $varWaitTime = $varStartIntervalResourceExistsCheck + $varTotalWaitTime = 0 + $varSubscriptionExists = $false + while ($varTotalWaitTime -lt $varMaxWaitTimeResourceExistsCheck -and $varSubscriptionExists -eq $false) { + try { + $varConnectivityID = Get-AzSubscription -SubscriptionId $parConnectivitySubscriptionId -WarningAction Ignore + $varManagementID = Get-AzSubscription -SubscriptionId $parManagementSubscriptionId -WarningAction Ignore + $varIdentityID = Get-AzSubscription -SubscriptionId $parIdentitySubscriptionId -WarningAction Ignore + if ((!$varConnectivityID) -or (!$varManagementID) -or (!$varIdentityID)) { + Write-Error "Subscription Not Found" -ErrorAction stop + } + $varSubscriptionExists = $true + } + catch { + $varLoopCounter++ + $varWaitTime = New-IncrementalDelay $varWaitTime $varLoopCounter + Write-Information ">>>One or more subscription not found. Retrying after $varWaitTime seconds" -InformationAction Continue + $varTotalWaitTime += $varWaitTime + Start-Sleep -Seconds $varWaitTime + } + } + + return $varSubscriptionExists +} + +<# +.Description + Processing parameters from JSON and creating a hash table +#> +function Read-ParametersValue($parJsonParamFilePath) { + $varSlzParameters = Get-Content -Path $parJsonParamFilePath | ConvertFrom-Json + $varAllowEmptyParameters = @("parExpressRouteGatewayConfig", "parVpnGatewayConfig", "parCustomerPolicies") + $varSlzParameters.parameters.psobject.properties | ForEach-Object { + if (($null -eq $_.value.Value -or $_.value.Value.count -eq 0) -and ($varAllowEmptyParameters -NotContains $_.Name)) { + $varParameters.add($_.Name, (new-Object PsObject -property @{value = $_.value.defaultValue; defaultValue = $_.value.defaultValue })) + } + else { + $varParameters.add($_.Name, (new-Object PsObject -property @{value = $_.value.Value; defaultValue = $_.value.defaultValue })) + } + } + return $varParameters +} + +<# +.Description + Checks Sovereign Landing Zone Prerequisites for the deployment. +#> +function Confirm-Prerequisites { + param($parIsSLZDeployedAtTenantRoot) + Write-Information ">>> Checking Sovereign Landing Zone Prerequisites for the deployment" -InformationAction Continue + $varConfirmPrerequisites = '.\Confirm-SovereignLandingZonePrerequisites.ps1' + & $varConfirmPrerequisites -parAttendedLogin $parAttendedLogin -parIsSLZDeployedAtTenantRoot $parIsSLZDeployedAtTenantRoot -ErrorAction Stop + Write-Information ">>> Checking Sovereign Landing Zone Prerequisites is complete." -InformationAction Continue + return +} + +<# +.Description + Show management group information with a link to management group's azure portal +#> +function Show-ManagementGroupInfo { + param($parParameters) + + if (!$parAttendedLogin) { + return + } + + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parTopLevelManagementGroupName = $parParameters.parTopLevelManagementGroupName.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varTenantId = (Get-AzTenant).Id + $varMgName = $parTopLevelManagementGroupName -replace ' ', '%20' + $varManagementGroupLink = "$varAzPortalLink/#view/Microsoft_Azure_ManagementGroups/ManagmentGroupDrilldownMenuBlade/~/overview/tenantId/$varTenantId" + $varManagementGroupLink = "$varManagementGroupLink/mgId/$parDeploymentPrefix$parDeploymentSuffix/mgDisplayName/$varMgName/mgCanAddOrMoveSubscription~/true/mgParentAccessLevel/Owner/defaultMenuItemId/overview/drillDownMode~/true" + $varManagementGroupInfo = "If you want to learn more about your management group, please click following link.`n`n" + $varManagementGroupInfo = "$varManagementGroupInfo$varManagementGroupLink`n`n" + + Write-Information ">>> $varManagementGroupInfo" -InformationAction Continue +} + +<# +.Description + Show dashboard information with a link to portal dashboard. +#> +function Show-DashboardInfo { + param($parParameters, $modDeployBootstrapOutputs) + + if ($modDeployBootstrapOutputs) { + $varManagementSubscriptionId = $modDeployBootstrapOutputs.outputs.outManagementSubscriptionId.value + } + else { + $varManagementSubscriptionId = $parParameters.parManagementSubscriptionId.value + } + + if (!$parAttendedLogin) { + return + } + + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varSignedInUser = Get-SignedInUser + $varResourceGroupName = "$parDeploymentPrefix-rg-dashboards-$parDeploymentLocation$parDeploymentSuffix" + $varDashboardName = "$parDeploymentPrefix-Sovereign-Landing-Zone-Dashboard-Preview-$parDeploymentLocation$parDeploymentSuffix" + $varUserDomain = $varSignedInUser.Substring($varSignedInUser.IndexOf("@")) + $varDashboardLink = "$varAzPortalLink/#$varUserDomain/dashboard/arm/subscriptions/$varManagementSubscriptionId" + $varDashboardLink = "$varDashboardLink/resourceGroups/$varResourceGroupName/providers/Microsoft.Portal/dashboards/$varDashboardName" + $varDashboardInfo = "Now your compliance dashboard is ready for you to get insights. If you want to learn more, please click following link.`n`n$varDashboardLink`n`n" + + Write-Information ">>> $varDashboardInfo" -InformationAction Continue +} + +<# +.Description + Register resource provider. +#> +function Register-ResourceProvider { + param($parProviderNamespace) + + $varResourceProvider = $null + $varLoopCounter = 0 + + Register-AzResourceProvider -ProviderNamespace $parProviderNamespace + $varResourceProvider = Get-AzResourceProvider -ProviderNamespace $parProviderNamespace + while ($null -eq $varResourceProvider -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + $varResourceProvider = Get-AzResourceProvider -ProviderNamespace $parProviderNamespace + $varLoopCounter++ + } +} + +<# +.Description + Build Subnet Json object. +#> +function Build-SubnetJsonObject { + param($parKeyValue) + if (![string]::IsNullOrEmpty($parKeyValue[1])) { + $varSubnetObject = @( + @{ + name = $parKeyValue[0] + ipAddressRange = $parKeyValue[1] + }) + + return , $varSubnetObject + } +} + +<# +.Description + Check the bastion subnet value is provided if the deploy bastion is true. +#> +function Confirm-BastionRequiredValue { + param ($parDeployBastion, $parSubnets) + + if ($parDeployBastion) { + $varAzureBastionSubnet = ($parSubnets | Where-Object { $_.name -eq 'AzureBastionSubnet' }).ipAddressRange + if ([string]::IsNullOrEmpty($varAzureBastionSubnet)) { + Write-Error ">>> Missing parameter value for Azure Bastion subnet IP address range. Please try after addressing the above error." -ErrorAction Stop + } + } +} +<# +.Description +Get Private DNS Resource Group Id from the Private DNS Zones output +#> +function Get-PrivateDnsResourceGroupId { + param ($parPrivateDnsZones, $parParameters) + $varPrivateDnsResourceGroupId = "" + $varDNSZonesResourceId = $parPrivateDnsZones.Count -gt 0 ? ($parPrivateDnsZones[0].id).ToString() : "" + if (-not [string]::IsNullOrEmpty($varDNSZonesResourceId)) { + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $varPattern = "(.*)(?<=$([regex]::escape($parDeploymentLocation)))" + $varRegExResult = $varDNSZonesResourceId | Select-String -Pattern $varPattern + $varPrivateDnsResourceGroupId = $varRegExResult.Matches[0].Value + } + return $varPrivateDnsResourceGroupId +} +<# +.Description +Get Resource Name from Resource Id +#> +function Get-ResourceNameFromId { + param($parResourceId) + $varResourceName = "" + if (-not [string]::IsNullOrEmpty($parResourceId)) { + $parResourceId = $parResourceId -split '/' + $varResourceName = $parResourceId[$parResourceId.Length - 1] + } + return $varResourceName +} +<# +.Description +Get Resource Type from Resource Id +#> +function Get-ResourceTypefromId { + param($parResourceId) + $varResourceType = "" + if (-not [string]::IsNullOrEmpty($parResourceId)) { + $parResourceId = $parResourceId -split '/' + $varResourceType = $parResourceId[$parResourceId.Length - 2] + } + return $varResourceType +} + +<# +.DESCRIPTION +Create a new object with the output data +#> +function New-OutputObject { + param($parResourceName, $parResourceType, $parResourceId, $parDeploymentName, $parComments) + $varDeploymentData = [PSCustomObject]@{ + "Resource Name" = $parResourceName + "Resource Type" = $parResourceType + "Resource Id" = $parResourceId + "Deployment Module" = $parDeploymentName + "Comments" = $parComments + } + return $varDeploymentData +} + +<# +.Description + Update parameter file after deployment +#> +function Out-DeploymentParameters { + param($parDeploymentName, $modDeploymentOutputs, $parManagementGroupId, $parParameters) + $varFilename = $parManagementGroupId + "_" + $parParameters.parDeploymentStartTime + ".csv" + # Set the path of the folder you want to check/create + $varFolderPath = "outputs" + + # Check if the folder exists + if (-Not (Test-Path -Path $varFolderPath -PathType Container)) { + # If the folder does not exist, create it + New-Item -ItemType Directory -Path $varFolderPath -Force + Write-Information "Folder created: $varFolderPath" -InformationAction Continue + } + $varExistingCsvFilePath = $varFolderPath + "\" + $varFilename + + $varCsvData = @() + if ($parDeploymentName -eq "bootstrap") { + $varDeploymentData = New-OutputObject $modDeploymentOutputs.outputs.outManagementSubscriptionName.value "Subscription" $modDeploymentOutputs.outputs.outManagementSubscriptionId.value $parDeploymentName "Used by platform as parManagementSubscriptionId" + $varCsvData += $varDeploymentData + $varDeploymentData = New-OutputObject $modDeploymentOutputs.outputs.outIdentitySubscriptionName.value "Subscription" $modDeploymentOutputs.outputs.outIdentitySubscriptionId.value $parDeploymentName "Used by platform as parIdentitySubscriptionId" + $varCsvData += $varDeploymentData + $varDeploymentData = New-OutputObject $modDeploymentOutputs.outputs.outConnectivitySubscriptionName.value "Subscription" $modDeploymentOutputs.outputs.outConnectivitySubscriptionId.value $parDeploymentName "Used by platform as parConnectivitySubscriptionId" + $varCsvData += $varDeploymentData + $varDeploymentData = New-OutputObject "Billing Scope" "billingScope" $parParameters.parSubscriptionBillingScope.value $parDeploymentName "Can be used for ALZ Vending module as subscriptionBillingScope" + $varCsvData += $varDeploymentData + foreach ($child in $modDeploymentOutputs.outputs.outLandingZoneChildrenManagementGroupIds.value) { + $varResourceName = Get-ResourceNameFromId $child + $varResourceType = Get-ResourceTypefromId $child + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $child $parDeploymentName "" + $varCsvData += $varDeploymentData + } + foreach ($child in $modDeploymentOutputs.outputs.outPlatformChildrenManagementGroupIds.value) { + $varResourceName = Get-ResourceNameFromId $child + $varResourceType = Get-ResourceTypefromId $child + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $child $parDeploymentName "" + $varCsvData += $varDeploymentData + } + } + elseif ($parDeploymentName -eq "platform") { + $varPrivateDnsResourceGroupId = Get-PrivateDnsResourceGroupId $modDeploymentOutputs.outputs.outPrivateDNSZones.value $parParameters + $varDdosProtectionResourceId = $modDeploymentOutputs.outputs.outDdosProtectionResourceId.value + $varLogAnalyticsResourceId = $modDeploymentOutputs.outputs.outLogAnalyticsWorkspaceId.value + $varAutomationAccountId = $modDeploymentOutputs.outputs.outAutomationAccountName.value + $varHubNetworkId = $modDeploymentOutputs.outputs.outHubVirtualNetworkId.value + if (-not [string]::IsNullOrEmpty($varDdosProtectionResourceId)) { + $varResourceName = Get-ResourceNameFromId $varDdosProtectionResourceId + $varResourceType = Get-ResourceTypefromId $varDdosProtectionResourceId + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $varDdosProtectionResourceId $parDeploymentName "Used by platform as parDdosProtectionResourceId" + $varCsvData += $varDeploymentData + } + if (-not [string]::IsNullOrEmpty($varLogAnalyticsResourceId)) { + $varResourceName = Get-ResourceNameFromId $varLogAnalyticsResourceId + $varResourceType = Get-ResourceTypefromId $varLogAnalyticsResourceId + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $varLogAnalyticsResourceId $parDeploymentName "Used by platform as parLogAnalyticsWorkspaceId" + $varCsvData += $varDeploymentData + } + if (-not [string]::IsNullOrEmpty($varPrivateDnsResourceGroupId)) { + $varResourceName = Get-ResourceNameFromId $varPrivateDnsResourceGroupId + $varResourceType = Get-ResourceTypefromId $varPrivateDnsResourceGroupId + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $varPrivateDnsResourceGroupId $parDeploymentName "Used by platform as parPrivateDnsResourceGroupId" + $varCsvData += $varDeploymentData + } + + if (-not [string]::isNullOrEmpty($varAutomationAccountId)) { + $varResourceName = $varAutomationAccountId + $varResourceType = "AutomationAccount" + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $varAutomationAccountId $parDeploymentName "Used by platform as parAutomationAccountName" + $varCsvData += $varDeploymentData + } + if (-not [string]::IsNullOrEmpty($varHubNetworkId)) { + $varResourceName = Get-ResourceNameFromId $varHubNetworkId + $varResourceType = Get-ResourceTypefromId $varHubNetworkId + $varDeploymentData = New-OutputObject $varResourceName $varResourceType $varHubNetworkId $parDeploymentName "Used by platform as parHubVirtualNetworkId" + $varCsvData += $varDeploymentData + } + $varDeploymentData = New-OutputObject "DeploymentLocation" "Location" $parParameters.parDeploymentLocation.value $parDeploymentName "Can be used for ALZ Vending module as virtualNetworkLocation" + $varCsvData += $varDeploymentData + } + # If the existing CSV file exists, read its content + if (Test-Path -Path $varExistingCsvFilePath) { + $varExistingData = Import-Csv -Path $varExistingCsvFilePath + } + else { + # If the file doesn't exist, create an empty array + $varExistingData = @() + } + # Append the new data to the existing data + $varUpdatedData = $varExistingData + $varCsvData + + # Save the updated data to the CSV file + $varUpdatedData | Export-Csv -Path $varExistingCsvFilePath -NoTypeInformation +} diff --git a/orchestration/scripts/Invoke-SlzDefaultandCustomPolicyToBicep.ps1 b/orchestration/scripts/Invoke-SlzDefaultandCustomPolicyToBicep.ps1 new file mode 100644 index 00000000..50d0efaa --- /dev/null +++ b/orchestration/scripts/Invoke-SlzDefaultandCustomPolicyToBicep.ps1 @@ -0,0 +1,693 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +SUMMARY: This PowerShell script leverages ALZ's invoke-PolicyToBicep.ps1 to generate new slz-defaultandCustomPolicyDefinitions.bicep with SLZ defaulat and +custom policies. It mainly performs the following steps: + +- copy policy set definitions files that have atleast one policy from current definitions folder to ..\..\dependencies\infra-as-code\bicep\modules\policy\definitions\lib\policy_set_definitions folder + +- call ..\..\dependencies\scripts\Invoke-PolicyToBicep.ps1 + +- merge ..\..\dependencies\infra-as-code\bicep\modules\policy\definitions\lib\policy_definitions\_policyDefinitionsBicepInput.txt + with ..\..\dependencies\infra-as-code\bicep\modules\policy\definitions\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt + into newCustomPolicyDefinitions.bicep + +- replace ..\dependencies\infra-as-code\bicep\modules\policy\definitions\slz-defaultandCustomPolicyDefinitions.bicep with updated slz-defaultandCustomPolicyDefinitions.bicep + +This design is based on ALZ automation that syncs new policies from enterprise-scale repo +for more details please check this link https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive + +AUTHOR/S: Cloud for Sovereignty +VERSION: 1.0.0 +#> +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "", Justification = "False Positive")] + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter()] + [string] + $parDestRootPath = "../../dependencies/infra-as-code/bicep/modules/policy", + [string] + $parDefinitionsPath = "definitions/lib/policy_definitions", + [string] + $parDefinitionsLongPath = "$parDestRootPath/$parDefinitionsPath", + [string] + $parDefinitionsSetPath = "definitions/lib/policy_set_definitions", + [string] + $parDefinitionsSetLongPath = "$parDestRootPath/$parDefinitionsSetPath", + [string] + $parDefaultPoliciesRootPath = "../../modules/compliance/policySetDefinitions", + [string] + $parCustomPoliciesRootPath = "../../custom/policies/definitions", + [string] + $parSlzPolicyPattern = "([Cc]onfidential|[Cc]orp|[Gg]lobal|[Oo]nline|[Cc]onnectivity|[Dd]ecommissioned|[Ii]dentity|[Ll]andingzone|[Mm]anagement|[Pp]latform|[Ss]andbox)", + [string] + $parSlzCustomPolicyDefinitionSetFilePattern = "slz$parSlzPolicyPattern" + "Custom", + [string] + $parSlzDefaultPolicyDefinitionSetFilePattern = "slz$parSlzPolicyPattern" + "Defaults", + [string] + $parSlzGlobalPolicySetDefinitonTxtFile = "$parDefinitionsSetLongPath/_slzGlobalPolicySetDefinitionsBicepInput.txt", + [string] + $parSlzPolicySetDefinitonTxtFile = "$parDefinitionsSetLongPath/_slzPolicySetDefinitionsBicepInput.txt", + [string] + $parAlzPolicySetDefinitonTxtFile = "$parDefinitionsSetLongPath/_alzPolicySetDefinitionsBicepInput.txt", + [string] + $parTempPolicyDefinitionOutput = "tempDefaultandCustomPolicyDefinitions.bicep", + [string] + $parTempSLZGlobalPolicySetDefinitionOutput = "slzTempGlobalDefaultandCustomPolicySetDefinitions.bicep", + [string] + $parTempSLZPolicySetDefinitionOutput = "slzTempDefaultandCustomPolicySetDefinitions.bicep", + [string] + $parTempALZPolicySetDefinitionOutput = "alzTempPolicySetDefinitions.bicep", + [bool] + $parAttendedLogin = $true +) + +<# +.Description +Move all SLZ default and custom policy json files to destPath +#> +function Move-PolicySetDefinitions { + [CmdletBinding(SupportsShouldProcess)] + param([string] $parRootPath) + + $varDefaultDefinitionFiles = Get-ChildItem -Path "$parRootPath/*.json" + foreach ($varFile in $varDefaultDefinitionFiles) { + Write-Debug "Processing $varFile.Name" + + $varFilePath = $parRootPath + "/" + $varFile.Name + $varJsonContent = Get-Content $varFilePath | ConvertFrom-Json + + if ($varJsonContent.properties.policyDefinitions.Length -gt 0) { + Copy-Item $varFilePath -Destination "$parDefinitionsSetLongPath" + Write-Debug ">>> copied $varFilePath to $parDefinitionsSetLongPath" + } + else { + Write-Debug ">>> $varFile.Name not copied to $parDefinitionsSetLongPath" + } + } +} + +<# +.Description + Copy files to destination path +#> +function Copy-SlzDefaultandCustomPolicyDefinitionsBicep { + [CmdletBinding(SupportsShouldProcess)] + param() + + $varDestinationFolder = "$parDestRootPath/definitions/" + Write-Information ">>> Initiating copy of slz-defaultandCustomPolicyDefinitions.bicep, slz-defaultandCustomGlobalPolicySetDefinitions.bicep, slz-defaultandCustomPolicySetDefinitions.bicep and alzPolicySetDefinitions.bicep to $varDestinationFolder" -InformationAction Continue + Copy-Item "../policyInstallation/slz-DefaultandCustomPolicyDefinitions.txt" -Destination "$varDestinationFolder\slz-defaultandCustomPolicyDefinitions.bicep" + Copy-Item "../policyInstallation/slz-DefaultandCustomSLZGlobalPolicySetDefinitions.txt" -Destination "$varDestinationFolder\slz-defaultandCustomGlobalPolicySetDefinitions.bicep" + Copy-Item "../policyInstallation/slz-DefaultandCustomSLZPolicySetDefinitions.txt" -Destination "$varDestinationFolder\slz-defaultandCustomPolicySetDefinitions.bicep" + Copy-Item "../policyInstallation/alz-DefaultPolicySetDefinitions.txt" -Destination "$varDestinationFolder\alzPolicySetDefinitions.bicep" + Write-Information ">>> copied slz-defaultandCustomPolicyDefinitions.bicep, slz-defaultandCustomGlobalPolicySetDefinitions.bicep, slz-defaultandCustomPolicySetDefinitions.bicep and alzPolicySetDefinitions.bicep to $varDestinationFolder" -InformationAction Continue +} + +<# +.Description +Remove existing policy set files. +#> +function Remove-ExistingPolicySetFiles { + [CmdletBinding(SupportsShouldProcess)] + param() + + <# For slz default policies #> + Write-Information ">>> filtering slz default policy sets using $parSlzDefaultPolicyDefinitionSetFilePattern" -InformationAction Continue + Get-ChildItem -Path "$parDefinitionsSetLongPath" -Filter *.json | Where-Object { $_.Name -match $parSlzDefaultPolicyDefinitionSetFilePattern } | Remove-Item + Write-Information ">>> removed $parDefinitionsSetLongPath/slz*Defaults*" -InformationAction Continue + + <# For slz custom policies #> + Write-Information ">>> filtering custom policy using $parSlzCustomPolicyDefinitionSetFilePattern" -InformationAction Continue + Get-ChildItem -Path "$parDefinitionsSetLongPath" -Filter *.json | Where-Object { $_.Name -match $parSlzCustomPolicyDefinitionSetFilePattern } | Remove-Item + Write-Information ">>> removed $parDefinitionsSetLongPath/slz*Custom*" -InformationAction Continue + +} + +<# +.Description +Create new policy definition bicep file. +#> +function Invoke-ALZScript { + # leverage ALZ script to add new policies/policy-sets into its bicep which slz depends on + Write-Information ">>> call Invoke-PolicyToBicep.ps1 to regenerate .txt reference files" -InformationAction Continue + & ..\..\dependencies\scripts\Invoke-PolicyToBicep.ps1 -rootPath "$parDestRootPath" +} + +<# +.Description +Create new policy definition bicep file. +#> +function New-DefaultandCustomPolicyDefinitionsBicepFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + $varPolicyDefinitionsBicepInput = "$parDefinitionsLongPath/_policyDefinitionsBicepInput.txt" + $varDefaultandCustomPolicyDefinitionsBicepFile = "$parDestRootPath/definitions/slz-defaultandCustomPolicyDefinitions.bicep" + $varKeepCopying = $true + + # processing animation for attended run + if ($parAttendedLogin) { + $varDelay = 1000 + $varStartLeft = [Console]::CursorLeft + $varStartTop = [Console]::CursorTop + $varOriginalColor = [Console]::ForegroundColor + $varLoadingChars = @('-', '\', '|', '/') + $varPos = 0 + } + + try { + Set-Content -Path $parTempPolicyDefinitionOutput -Value "//`r`n// auto-generated-slz-policy-bicep-file by Cloud for Sovereignty team`r`n//" + Get-Content $varDefaultandCustomPolicyDefinitionsBicepFile | ForEach-Object { + if ($_ -match '') { + if ($_ -match '.+([Ss]tart)\s*-->') { + $varKeepCopying = $false + + Add-Content -Path $parTempPolicyDefinitionOutput -Value "// start" + # copy $varPolicyDefinitionsBicepInput + Get-Content $varPolicyDefinitionsBicepInput | Add-Content -Path $parTempPolicyDefinitionOutput + Add-Content -Path $parTempPolicyDefinitionOutput -Value "// end" + + if ($parAttendedLogin) { + Flush_Output "[*] loading from auto-gen file..." $varDelay $varStartLeft $varStartTop $varOriginalColor + } + } + elseif ($_ -match ".+([Ee]nd)\s*-->") { + $varKeepCopying = $true + } + } + else { + # write line to $parTempPolicyDefinitionOutput + if ($varKeepCopying) { + Add-Content -Path $parTempPolicyDefinitionOutput -Value $_ + + if ($parAttendedLogin) { + $varPos = $varPos + 1 + $varLoadingCh = $varLoadingChars[$($varPos % $varLoadingChars.Length)] + Flush_Output "[$varLoadingCh] loading from original file..." 0 $varStartLeft $varStartTop Blue + } + } + } + } #end of Foreach + if ($parAttendedLogin) { + [Console]::ForegroundColor = $varOriginalColor + } + } + catch { + Write-Error "Error in merging new policy/policy-set: $_.Exception.Message" + } + #replace $varDefaultandCustomPolicyDefinitionsBicepFile with $parTempPolicyDefinitionOutput + Copy-Item $parTempPolicyDefinitionOutput -Destination $varDefaultandCustomPolicyDefinitionsBicepFile -force +} +<# +.Description +Create 2 slz policy files one with global policies and other with remainder slz policies from _policySetDefinitionsBicepInput.txt +#> +function New-SLZPolicySetDefinitonsBicepInputFiles { + [CmdletBinding(SupportsShouldProcess)] + param() + + $varPolicySetDefTextFile = Get-Content "$parDefinitionsSetLongPath/_policySetDefinitionsBicepInput.txt" + #arraylist that will contain each slz policy set json as an array + $varSlzPolicySetList = New-Object -TypeName 'System.Collections.ArrayList' + #arraylist that will contain each slz policy set parameters + $varSlzPolicyParams = New-Object -TypeName 'System.Collections.ArrayList' + #initializing array to contain slz policy set. + <# Once a policy set parsing is complete, the array will be appended to 'slzPolicySetList' #> + [String[]] $varSlzPolicySet = @() + + #arraylist that will contain each alz policy set json as an array + $varAlzPolicySetList = New-Object -TypeName 'System.Collections.ArrayList' + #arraylist that will contain each alz policy set parameters + $varAlzPolicyParams = New-Object -TypeName 'System.Collections.ArrayList' + #initializing array to contain alz policy set. + <# Once a policy set parsing is complete, the array will be appended to 'alzPolicySetList' #> + [String[]] $varAlzPolicySet = @() + + <# declaring patterns #> + $varNameString = 'name:' + $varPolicyNamePattern = '(?<=name: )(.*)' + $varSlzPolicyNamePrefix = 'Slz' + $varPolicySetDefVarComment = '// Policy Set/Initiative Definition Parameter Variables' + + for ($count = 0; $count -lt $varPolicySetDefTextFile.Length; $count++) { + $varLine = $varPolicySetDefTextFile[$count] + + <#line matching 'varCustomPolicySetDefinitionsArray' represents start of the json. + Append this line to policyset defintion text files, as it will contain the jsons#> + if ($varLine -match 'varCustomPolicySetDefinitionsArray') { + Set-Content $parSlzGlobalPolicySetDefinitonTxtFile $varLine + Set-Content $parSlzPolicySetDefinitonTxtFile $varLine + Set-Content $parAlzPolicySetDefinitonTxtFile $varLine + continue + } + + <# line matching the var 'policySetDefVarComment' indicates end of json. + The arrayList containing json can be added to corresponding policyset defintion text files #> + if ($varLine -match $varPolicySetDefVarComment) { + #fetch the var name of the last parsed slz policy set and add the polic set to the slz policy set list + $varPolicyParamVarName = Get-PolicySetParamVariableName $varSlzPolicySet + [void]$varSlzPolicyParams.Add($varPolicyParamVarName) + [void]$varSlzPolicySetList.Add($varSlzPolicySet) + $varSlzPolicySet = @() + + #create the set definition text files, with the slz policy sets + Add-SlzPolicySetDefinitionTxtFiles $varLine $varSlzPolicySetList + + if (Confirm-AddEndBracket $parSlzGlobalPolicySetDefinitonTxtFile) { + Add-Content $parSlzGlobalPolicySetDefinitonTxtFile "]`r`n$varLine" + } + else { + Add-Content $parSlzGlobalPolicySetDefinitonTxtFile "`r`n$varLine" + } + + if (Confirm-AddEndBracket $parSlzPolicySetDefinitonTxtFile) { + Add-Content $parSlzPolicySetDefinitonTxtFile "]`r`n$varLine" + } + else { + Add-Content $parSlzPolicySetDefinitonTxtFile "`r`n$varLine" + } + + #create the set definition text files, with the alz policy sets + Add-Content $parAlzPolicySetDefinitonTxtFile $varAlzPolicySetList + if (Confirm-AddEndBracket $parAlzPolicySetDefinitonTxtFile) { + Add-Content $parAlzPolicySetDefinitonTxtFile "]`r`n$varLine" + } + else { + Add-Content $parAlzPolicySetDefinitonTxtFile "`r`n$varLine" + } + continue + } + + <# check for line containing Policy Set Parameter Variables staring with 'var' + and compare with vars in list 'slzPolicyParams' and 'alzPolicyParams', to add to the final bicep file #> + if ($varLine -match 'var ()') { + $varSlzGlobalPolicyParam = 'varSlzGlobal' + $varSlzPolicyParams | ForEach-Object { + if ($varLine -match $_) { + if ($_ -match $varSlzGlobalPolicyParam) { + Add-Content $parSlzGlobalPolicySetDefinitonTxtFile $varLine + } + else { + Add-Content $parSlzPolicySetDefinitonTxtFile $varLine + } + } + } + $varAlzPolicyParams | ForEach-Object { + if ($varLine -match $_) { + Add-Content $parAlzPolicySetDefinitonTxtFile $varLine + } + } + continue + } + + <#line doesn't match 'nameString' and array slzPolicySet or alzPolicySet has size greater than zero, + then we are parsing a slz policy set. Add the lines to array slzPolicySet and alzPolicySet#> + if ($varLine -notmatch $varNameString) { + if ($varSlzPolicySet.Count -gt 0) { + $varSlzPolicySet += $varLine + continue + } + elseif ($varAlzPolicySet.Count -gt 0) { + $varAlzPolicySet += $varLine + continue + } + } + + if ($varLine -match $varNameString) { + <# line matches with a name string and array alzPolicySet has size greater than zero, + it indicates, the end of an alz policy set json. The array can be added to 'alzPolicySetList' and reset + to contain next policy set #> + if ($varAlzPolicySet.Count -gt 0 -And $varAlzPolicySet[$varAlzPolicySet.Count - 2] -match '}') { + $varAlzPolicySet[$varAlzPolicySet.Count - 1] = "" + + <# parsing array 'alzPolicySet' to fetch Policy Set Parameter Variable + and add to list 'alzPolicyParams' #> + $varPolicyParamVarName = Get-PolicySetParamVariableName $varAlzPolicySet + [void]$varAlzPolicyParams.Add($varPolicyParamVarName) + [void]$varAlzPolicySetList.Add($varAlzPolicySet) + $varAlzPolicySet = @() + } + <# line matches with a name string and array slzPolicySet has size greater than zero, + it indicates, the end of an slz policy set json. The array can be added to 'slzPolicySetList' and reset + to contain next policy set #> + if ($varSlzPolicySet.Count -gt 0 -And $varSlzPolicySet[$varSlzPolicySet.Count - 2] -match '}') { + $varSlzPolicySet[$varSlzPolicySet.Count - 1] = "" + + <# parsing array 'slzPolicySet' to fetch Policy Set Parameter Variable + and add to list 'slzPolicyParams' #> + $varPolicyParamVarName = Get-PolicySetParamVariableName $varSlzPolicySet + [void]$varSlzPolicyParams.Add($varPolicyParamVarName) + [void]$varSlzPolicySetList.Add($varSlzPolicySet) + $varSlzPolicySet = @() + } + $varPolicySetName = ("$varLine" | Select-String -Pattern $varPolicyNamePattern).Matches[0].Value + <# fetch policysetname and check if its prefixed with 'SLZ' + to consider the policy set for newly created policy SLZ set definition files #> + if ($varPolicySetName.Substring(1, 3) -eq $varSlzPolicyNamePrefix) { + if ($varSlzPolicySet.Count -eq 0) { + $varSlzPolicySet = "{" + } + $varSlzPolicySet += $varLine + } + else { + if ($varAlzPolicySet.Count -eq 0) { + $varAlzPolicySet = "{" + } + $varAlzPolicySet += $varLine + } + } + } +} + +<# +.Description +Get the policy set parameter variable name from the policy set json +#> +function Get-PolicySetParamVariableName { + param ($parPolicySet) + $varDefinitionParametersString = 'definitionParameters:' + $varParamPattern = 'var(.*)Parameters' + + foreach ($varLine in $parPolicySet) { + if ($varLine -match $varDefinitionParametersString) { + $varRegex = [Regex]::new($varParamPattern) + $varMatch = $varRegex.Match($varLine) + return $varMatch.Value + } + } +} + +<# +.Description +Checks whether to add an end bracket to the policy set definition file +#> +function Confirm-AddEndBracket { + param ($parPolicySetfilePath) + $varPolicySetFileContent = Get-Content $parPolicySetfilePath + + $varIterationCounter = $varPolicySetFileContent.Count + + do { + if ($varPolicySetFileContent[$varIterationCounter] -match '}') { + return $true + } + + if ($varPolicySetFileContent[$varIterationCounter] -match ']') { + return $false + } + + $varIterationCounter--; + } while ($varIterationCounter -gt 0) +} + +<# +.Description +Add slz policy set definition to slz policy set definition text file +#> +function Add-SlzPolicySetDefinitionTxtFiles { + param ($parLine, $parSlzPolicySetList) + + $varSlzGlobalPolicySet = 'SlzGlobal' + $varSlzPolicySets = @() + + foreach ($varPolicySet in $parSlzPolicySetList) { + if ($varPolicySet[1] -match $varSlzGlobalPolicySet) { + #adding SLZGlobalPolicy to a separate policy set definition file + Add-Content $parSlzGlobalPolicySetDefinitonTxtFile $varPolicySet + } + else { + $varSlzPolicySets += $varPolicySet + } + } + #add other slz policy sets to a different policy set definition file + Add-Content $parSlzPolicySetDefinitonTxtFile $varSlzPolicySets +} + +<# +.Description +Creating slz global policyset defintion bicep file +#> +function New-DefaultandCustomSlzGlobalPolicySetDefinitionBicepFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + # processing animation for attended run + if ($parAttendedLogin) { + $varDelay = 1000 + $varStartLeft = [Console]::CursorLeft + $varStartTop = [Console]::CursorTop + $varOriginalColor = [Console]::ForegroundColor + $varLoadingChars = @('-', '\', '|', '/') + $varPos = 0 + } + + $varSlzGlobalPolicyDefinitionsSetBicepInput = "$parSlzGlobalPolicySetDefinitonTxtFile" + $varDefaultandCustomSLZGlobalPolicyDefinitionsBicepFile = "$parDestRootPath/definitions/slz-defaultandCustomGlobalPolicySetDefinitions.bicep" + $varKeepCopying = $true + + try { + Set-Content -Path $parTempSLZGlobalPolicySetDefinitionOutput -Value "//`r`n// auto-generated-slz-policy-bicep-file by Cloud for Sovereignty team`r`n//" + Get-Content $varDefaultandCustomSLZGlobalPolicyDefinitionsBicepFile | ForEach-Object { + if ($_ -match '') { + if ($_ -match '.+([Ss]tart)\s*-->') { + $varKeepCopying = $false + + Add-Content -Path $parTempSLZGlobalPolicySetDefinitionOutput -Value "// start" + # copy $varSlzGlobalPolicyDefinitionsSetBicepInput + Get-Content $varSlzGlobalPolicyDefinitionsSetBicepInput | Add-Content -Path $parTempSLZGlobalPolicySetDefinitionOutput + Add-Content -Path $parTempSLZGlobalPolicySetDefinitionOutput -Value "// end" + + if ($parAttendedLogin) { + Flush_Output "[*] loading from auto-gen file..." $varDelay $varStartLeft $varStartTop $varOriginalColor + } + } + elseif ($_ -match ".+([Ee]nd)\s*-->") { + $varKeepCopying = $true + } + } + else { + # write line to $parTempSLZGlobalPolicySetDefinitionOutput + if ($varKeepCopying) { + Add-Content -Path $parTempSLZGlobalPolicySetDefinitionOutput -Value $_ + + if ($parAttendedLogin) { + $varPos = $varPos + 1 + $varLoadingCh = $varLoadingChars[$($varPos % $varLoadingChars.Length)] + Flush_Output "[$varLoadingCh] loading from original file..." 0 $varStartLeft $varStartTop Blue + } + } + } + } #end of Foreach + if ($parAttendedLogin) { + [Console]::ForegroundColor = $varOriginalColor + } + } + catch { + Write-Error "Error in creating new policy/policy-set: $_.Exception.Message" + } + + #replace $varDefaultandCustomSLZGlobalPolicyDefinitionsBicepFile with $parTempSLZGlobalPolicySetDefinitionOutput + Copy-Item $parTempSLZGlobalPolicySetDefinitionOutput -Destination $varDefaultandCustomSLZGlobalPolicyDefinitionsBicepFile -force +} + +<# +.Description +Creating slz policy set defintion bicep file +#> +function New-DefaultandCustomSlzPolicySetDefinitionBicepFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + # processing animation for attended run + if ($parAttendedLogin) { + $varDelay = 1000 + $varStartLeft = [Console]::CursorLeft + $varStartTop = [Console]::CursorTop + $varOriginalColor = [Console]::ForegroundColor + $varLoadingChars = @('-', '\', '|', '/') + $varPos = 0 + } + + $varSlzPolicyDefinitionsSetBicepInput = "$parSlzPolicySetDefinitonTxtFile" + $varDefaultandCustomSLZPolicyDefinitionsBicepFile = "$parDestRootPath/definitions/slz-defaultandCustomPolicySetDefinitions.bicep" + $varKeepCopying = $true + + try { + Set-Content -Path $parTempSLZPolicySetDefinitionOutput -Value "//`r`n// auto-generated-slz-policy-bicep-file by Cloud for Sovereignty team`r`n//" + Get-Content $varDefaultandCustomSLZPolicyDefinitionsBicepFile | ForEach-Object { + if ($_ -match '') { + if ($_ -match '.+([Ss]tart)\s*-->') { + $varKeepCopying = $false + + Add-Content -Path $parTempSLZPolicySetDefinitionOutput -Value "// start" + # copy $varSlzPolicyDefinitionsSetBicepInput + Get-Content $varSlzPolicyDefinitionsSetBicepInput | Add-Content -Path $parTempSLZPolicySetDefinitionOutput + Add-Content -Path $parTempSLZPolicySetDefinitionOutput -Value "// end" + + if ($parAttendedLogin) { + Flush_Output "[*] loading from auto-gen file..." $varDelay $varStartLeft $varStartTop $varOriginalColor + } + } + elseif ($_ -match ".+([Ee]nd)\s*-->") { + $varKeepCopying = $true + } + } + else { + # write line to $parTempSLZPolicySetDefinitionOutput + if ($varKeepCopying) { + Add-Content -Path $parTempSLZPolicySetDefinitionOutput -Value $_ + + if ($parAttendedLogin) { + $varPos = $varPos + 1 + $varLoadingCh = $varLoadingChars[$($varPos % $varLoadingChars.Length)] + Flush_Output "[$varLoadingCh] loading from original file..." 0 $varStartLeft $varStartTop Blue + } + } + } + } #end of Foreach + if ($parAttendedLogin) { + [Console]::ForegroundColor = $varOriginalColor + } + } + catch { + Write-Error "Error in creating new policy/policy-set: $_.Exception.Message" + } + + #replace $varDefaultandCustomSLZPolicyDefinitionsBicepFile with $parTempSLZPolicySetDefinitionOutput + Copy-Item $parTempSLZPolicySetDefinitionOutput -Destination $varDefaultandCustomSLZPolicyDefinitionsBicepFile -force +} + +<# +.Description +Creating alz policyset defintion bicep file +#> +function New-AlzPolicySetDefinitionBicepFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + # processing animation for attended run + if ($parAttendedLogin) { + $varDelay = 1000 + $varStartLeft = [Console]::CursorLeft + $varStartTop = [Console]::CursorTop + $varOriginalColor = [Console]::ForegroundColor + $varLoadingChars = @('-', '\', '|', '/') + $varPos = 0 + } + + $alzPolicyDefinitionsSetBicepInput = "$parAlzPolicySetDefinitonTxtFile" + $varAlzPolicyDefinitionsBicepFile = "$parDestRootPath/definitions/alzPolicySetDefinitions.bicep" + $varKeepCopying = $true + + try { + Set-Content -Path $parTempALZPolicySetDefinitionOutput -Value "//`r`n// auto-generated-slz-policy-bicep-file by Cloud for Sovereignty team`r`n//" + Get-Content $varAlzPolicyDefinitionsBicepFile | ForEach-Object { + if ($_ -match '') { + if ($_ -match '.+([Ss]tart)\s*-->') { + $varKeepCopying = $false + + Add-Content -Path $parTempSLZPolicySetDefinitionOutput -Value "// start" + # copy $alzPolicyDefinitionsSetBicepInput + Get-Content $alzPolicyDefinitionsSetBicepInput | Add-Content -Path $parTempALZPolicySetDefinitionOutput + Add-Content -Path $parTempALZPolicySetDefinitionOutput -Value "// end" + + if ($parAttendedLogin) { + Flush_Output "[*] loading from auto-gen file..." $varDelay $varStartLeft $varStartTop $varOriginalColor + } + } + elseif ($_ -match ".+([Ee]nd)\s*-->") { + $varKeepCopying = $true + } + } + else { + # write line to $parTempALZPolicySetDefinitionOutput + if ($varKeepCopying) { + Add-Content -Path $parTempALZPolicySetDefinitionOutput -Value $_ + + if ($parAttendedLogin) { + $varPos = $varPos + 1 + $varLoadingCh = $varLoadingChars[$($varPos % $varLoadingChars.Length)] + Flush_Output "[$varLoadingCh] loading from original file..." 0 $varStartLeft $varStartTop Blue + } + } + } + } #end of Foreach + if ($parAttendedLogin) { + Flush_Output "[*] Completed loading from original files and auto-gen files." 0 $varStartLeft $varStartTop Blue $true + [Console]::ForegroundColor = $varOriginalColor + } + } + catch { + Write-Error "Error in creating new policy/policy-set: $_.Exception.Message" + } + + #replace $varAlzPolicyDefinitionsBicepFile with $parTempALZPolicySetDefinitionOutput + Copy-Item $parTempALZPolicySetDefinitionOutput -Destination $varAlzPolicyDefinitionsBicepFile -force +} + +<# +.Description +Remove temp files created during the slz deployment +#> +function Remove-TempFile { + [CmdletBinding(SupportsShouldProcess)] + param() + + Write-Information "Removing tempDefaultandCustomPolicyDefinitions.bicep, slzTempGlobalDefaultandCustomPolicySetDefinitions.bicep and slzTempDefaultandCustomPolicySetDefinitions.bicep files" -InformationAction Continue + Get-Item -Path ".\tempDefaultandCustomPolicyDefinitions.bicep" | Remove-Item + Get-Item -Path ".\slzTempGlobalDefaultandCustomPolicySetDefinitions.bicep" | Remove-Item + Get-Item -Path ".\slzTempDefaultandCustomPolicySetDefinitions.bicep" | Remove-Item + Get-Item -Path ".\alzTempPolicySetDefinitions.bicep" | Remove-Item + Write-Information "Removed tempDefaultandCustomPolicyDefinitions.bicep, slzTempGlobalDefaultandCustomPolicySetDefinitions.bicep and slzTempDefaultandCustomPolicySetDefinitions.bicep files" -InformationAction Continue +} + +<# +.Description +Utility function to flush output to console +#> +function Flush_Output { + param([String]$parMessage, [int]$parDelay, [int]$parStartLeft, [int]$parStartTop, [ConsoleColor]$parStartColor, [bool]$parNewLine = $false) + + $varCursorTop = [Console]::CursorTop + [Console]::ForegroundColor = $parStartColor + [Console]::CursorLeft = $parStartLeft + [Console]::CursorTop = $parStartTop + + if ($parNewLine) { + Write-Host $parMessage + } + else { + Write-Host $parMessage -NoNewline + } + + [Console]::SetCursorPosition(0, $varCursorTop) + if ($parDelay -gt 0) { + Start-Sleep -Milliseconds $parDelay + } +} + +Remove-ExistingPolicySetFiles +Copy-SlzDefaultandCustomPolicyDefinitionsBicep +<# For slz default policies #> +Write-Information ">>> Processing default policy set definitions" -InformationAction Continue +Move-PolicySetDefinitions $parDefaultPoliciesRootPath +Write-Information ">>> Processed and copied SLZ default policy definition sets" -InformationAction Continue +<# For custom policies #> +Write-Information ">>> Processing custom policy set definitions" -InformationAction Continue +Move-PolicySetDefinitions $parCustomPoliciesRootPath +Write-Information ">>> Processed and copied custom policy definition sets" -InformationAction Continue +<# Invoke ALZ Script - InvokePolicyToBicep to create files containing policy definition and policy set definition #> +Invoke-ALZScript +<# The function will create alz policy definition bicep file #> +New-DefaultandCustomPolicyDefinitionsBicepFile +<# The function will create a file containing slz global policy set, file containing remainder of the slz policies and a file for alz policies #> +New-SLZPolicySetDefinitonsBicepInputFiles +<# The function will create SLZ global policy set definition bicep file #> +New-DefaultandCustomSlzGlobalPolicySetDefinitionBicepFile +<# The function will create SLZ policy set definition bicep file #> +New-DefaultandCustomSlzPolicySetDefinitionBicepFile +<# The function will create ALZ policy set definition bicep file #> +New-AlzPolicySetDefinitionBicepFile +Remove-TempFile diff --git a/orchestration/scripts/New-Bootstrap.ps1 b/orchestration/scripts/New-Bootstrap.ps1 new file mode 100644 index 00000000..e07c1153 --- /dev/null +++ b/orchestration/scripts/New-Bootstrap.ps1 @@ -0,0 +1,116 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script deploys bootstrap as part of SLZ deployment. +#> + +param ( + $parAttendedLogin = $true +) + +. ".\Invoke-Helper.ps1" + +#variables +$varBootstrapBicepFilePath = '..\bootstrap\bootstrap.bicep' +$varBootstrapRequiredParams = @('parDeploymentPrefix', 'parTopLevelManagementGroupName', 'parSubscriptionBillingScope', 'parDeploymentLocation') + +<# +.Description + Creates the management group hierarchy and subscriptions at tenant level + Parameters: + parBootstrapParametersFilePath -> path to the parameter file containing required parameters to deploy bootstrap + parParameters -> hash table containing parameter name and value +#> +function New-Bootstrap { + param($parBootstrapParametersFilePath, $parParameters) + + if (!$parParameters) { + $parParameters = Read-ParametersValue($parBootstrapParametersFilePath) + Confirm-Parameters($varBootstrapRequiredParams) + Get-DonotRetryErrorCodes + } + + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $varDeploymentName = "deploy-bootstrap-$vartimeStamp" + $varParams = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parSubscriptionBillingScope = $parParameters.parSubscriptionBillingScope.value + parTopLevelManagementGroupName = $parParameters.parTopLevelManagementGroupName.value + parManagementSubscriptionId = $parParameters.parManagementSubscriptionId.value + parIdentitySubscriptionId = $parParameters.parIdentitySubscriptionId.value + parConnectivitySubscriptionId = $parParameters.parConnectivitySubscriptionId.value + parLandingZoneMgChildren = Convert-ToArray($parParameters.parLandingZoneMgChildren.value) + parTopLevelManagementGroupParentId = $parParameters.parTopLevelManagementGroupParentId.value + parTags = Convert-ToHashTable($parParameters.parTags.value) + } + $varLoopCounter = 0; + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployBootstrap = $null + try { + Write-Information ">>> Bootstrap deployment started" -InformationAction Continue + + $modDeployBootstrap = New-AzTenantDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varBootstrapBicepFilePath ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeployBootstrap) { + $varRetry = $false + Write-Error "Error while executing bootstrap deployment command" -ErrorAction Stop + } + + if ($modDeployBootstrap.ProvisioningState -eq "Failed") { + Write-Error "Error occurred during bootstrap deployment." -ErrorAction Stop + } + + Write-Information ">>> Bootstrap deployment completed`n" -InformationAction Continue + # Have to register Microsoft.Network early to avoid error "Subscription not registered with NRP" + # caused by registration delay that occurs during deployments. + $varConnectivitySubscriptionId = $modDeployBootstrap.Outputs.outConnectivitySubscriptionId.Value + Write-Information "Registering Microsoft.Network resource provider for subscription id: $varConnectivitySubscriptionId...." -InformationAction Continue + Set-AzContext -Subscription "$varConnectivitySubscriptionId" + Register-ResourceProvider "Microsoft.Network" + # update parameters + Out-DeploymentParameters "bootstrap" $modDeployBootstrap $varManagementGroupId $parParameters + + return $modDeployBootstrap + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployBootstrap) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varTenantDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in bootstrap deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} diff --git a/orchestration/scripts/New-Compliance.ps1 b/orchestration/scripts/New-Compliance.ps1 new file mode 100644 index 00000000..8c39e9c6 --- /dev/null +++ b/orchestration/scripts/New-Compliance.ps1 @@ -0,0 +1,619 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script deploys policies as part of SLZ deployment. +#> +param ( + $parAttendedLogin = $true +) +. ".\Invoke-Helper.ps1" +. ".\New-PolicyExemption.ps1" -parAttendedLogin $parAttendedLogin +. ".\New-PolicyRemediation.ps1" -parAttendedLogin $parAttendedLogin + +#variables +$varDefaultComplianceBicepFilePath = '..\defaultCompliance\defaultCompliance.bicep' +$varCustomComplianceBicepFilePath = '..\customCompliance\customCompliance.bicep' +$varPolicyInstallationBicepFilePath = '..\policyInstallation\policyInstallation.bicep' +$varComplianceRequiredParams = @('parDeploymentPrefix', 'parAllowedLocations', 'parAllowedLocationsForConfidentialComputing', 'parDeploymentLocation') +$varAlzDefaultPolicyRequiredParams = @('parLogAnalyticsWorkspaceId', 'parAutomationAccountName', 'parPrivateDnsResourceGroupId') +<# +.Description + Deletes the custom and default policy assignments for each of the SLZ management groups. +#> +function Get-PolicyAssignmentsandExemptions { + param ($parParameters) + + $varLoopCounter = 0; + while ($varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + try { + Write-Information ">>> Verifying policy assignments are present in SLZ" -InformationAction Continue + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $varScope = "/providers/Microsoft.Management/managementGroups/" + $varManagementGroupId + $varPolicyAssignmentsList = Get-AzPolicyAssignment -Scope $varScope -WarningAction Ignore + if ($null -eq $varPolicyAssignmentsList) { + Write-Information ">>> Policy assignments are not deployed in the env." -InformationAction Continue + return + } + + Write-Information ">>> Policy assignments found. Fetching policy set definition files for version check" -InformationAction Continue + $varPolicySetDefinitionDict = Get-PolicySetDefinitionVersion + + Write-Information ">>> For deployed SLZ Policy Sets, checking if there's a version update" -InformationAction Continue + [System.Collections.ArrayList]$varListOfUpdatedPolicySetDefinitionIds = @() + + $varPolicySetDefinitions = Get-AzPolicySetDefinition -ManagementGroupName $varManagementGroupId -WarningAction Ignore + foreach ($varUpcomingPolicySet in $varPolicySetDefinitionDict.GetEnumerator()) { + $varPolicySetDefinition = $varPolicySetDefinitions | Where-Object { $_.Name -eq $varUpcomingPolicySet.Key -or $_.Name -match "$($varUpcomingPolicySet.Key).v" } + $varPolicySetDefinitionVersion = $varUpcomingPolicySet.Value + foreach ($varPolicyset in $varPolicySetDefinition) { + $varDeployedPolicySetDefinitonVersion = $varPolicyset.Properties.Metadata.version + if ($varPolicySetDefinitionVersion -gt $varDeployedPolicySetDefinitonVersion) { + $varListOfUpdatedPolicySetDefinitionIds.add($varPolicyset.Name) >> $null + } + } + } + + return $varListOfUpdatedPolicySetDefinitionIds + } + catch { + $varLoopCounter++ + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + Write-Error "$varException \n $varErrorDetails \n $varTrace" -ErrorAction Continue + + if ($varLoopCounter -eq $varMaxTransientErrorRetryAttempts) { + Write-Information ">>> Maximum number of retry attempts reached. Cancelling deployment." -InformationAction Continue + Write-Error ">>> Error ocurred during getting policy assignment. Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + } + } +} + +<# +.Description + Deletes the custom and default policy assignments for each of the SLZ management groups. +#> +function Remove-PolicyAssignmentsandExemptions { + param ($varListOfUpdatedPolicySetDefinitionIds) + + $varLoopCounter = 0; + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + + while ($varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + try { + Write-Information ">>> Cleaning old policy assignments in SLZ" -InformationAction Continue + if (!$varListOfUpdatedPolicySetDefinitionIds) { + Write-Information ">>> No updates to policy set definiton id version." -InformationAction Continue + } + else { + Write-Information ">>> Policy assignment and exemption clean up started" -InformationAction Continue + $varManagementGroupNames = $varManagementGroupId, "decommissioned", "landingzones", "landingzones-confidential-corp", "landingzones-confidential-online", "landingzones-corp", "landingzones-online", "platform", "platform-connectivity", "platform-identity", "platform-management", "sandbox" + $varManagementGroupNames | ForEach-Object { + if ($_ -eq $varManagementGroupId) { + $varScope = "/providers/Microsoft.Management/managementGroups/" + $varManagementGroupId + } + else { + $varScope = "/providers/Microsoft.Management/managementGroups/" + $parDeploymentPrefix + "-" + $_ + $parDeploymentSuffix + } + + [System.Collections.ArrayList]$varListOfUpdatedPolicyAssignmentNames = @() + $varAssignments = Get-AzPolicyAssignment -Scope $varScope -WarningAction Ignore + if ($null -ne $varAssignments) { + $varAssignments | ForEach-Object { + $varPolicyDefinitionId = $_.Properties.PolicyDefinitionId.Substring($_.Properties.PolicyDefinitionId.LastIndexOf('/') + 1) + if ($varListOfUpdatedPolicySetDefinitionIds.Contains($varPolicyDefinitionId)) { + $varListOfUpdatedPolicyAssignmentNames.Add($_.name) >> $null + Remove-AzPolicyAssignment -Scope $varScope -Name $_.name -WarningAction Ignore >> $null + } + } + } + + $varExemptions = Get-AzPolicyExemption -Scope $varScope -WarningAction Ignore + if ($null -ne $varExemptions) { + $varExemptions | ForEach-Object { + if ($varListOfUpdatedPolicyAssignmentNames.Contains($_.name)) { + Remove-AzPolicyExemption -Scope $varScope -Name $_.name -WarningAction Ignore -Confirm:$false >> $null + } + } + } + } + + Write-Information ">>> Policy assignment and exemption clean up completed. Executing the next steps after waiting for $varRetryWaitTimeTransientErrorRetry seconds." -InformationAction Continue + } + + return + } + catch { + $varLoopCounter++ + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + Write-Error "$varException \n $varErrorDetails \n $varTrace" -ErrorAction Continue + + if ($varLoopCounter -eq $varMaxTransientErrorRetryAttempts) { + Write-Information ">>> Maximum number of retry attempts reached. Cancelling deployment." -InformationAction Continue + Write-Error ">>> An error occurred during Remove-PolicyAssignmentsandExemptions. Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + } + } +} + +<# +.Description + Installs the custom and default policy sets at the root of the SLZ management group. +#> +function New-InstallPolicySets { + param () + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $varDeploymentName = "deploy-policyinstallation-$vartimeStamp" + $varParams = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parDeploymentLocation = $parDeploymentLocation + parDeployAlzDefaultPolicies = $parParameters.parDeployAlzDefaultPolicies.value + } + $varLoopCounter = 0; + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployPolicyInstallation = $null + try { + Write-Information ">>> Policy Installation started" -InformationAction Continue + $modDeployPolicyInstallation = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varPolicyInstallationBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeployPolicyInstallation) { + $varRetry = $false + Write-Error "`n Error while executing policy installation" -ErrorAction Stop + } + if ($modDeployPolicyInstallation.ProvisioningState -eq "Failed") { + Write-Error "`n Error while executing policy installation" -ErrorAction Stop + } + + Write-Information ">>> Policy installation completed" -InformationAction Continue + return + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployPolicyInstallation) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in install policy sets. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} + + + +<# +.Description + Assigns the custom policy sets to the SLZ management groups based on convention +#> +function New-CustomCompliance { + param() + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $varCustomerPolicySets = Convert-ToArray($parParameters.parCustomerPolicySets.value) + $varParams = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parRequireOwnerRolePermission = $parParameters.parRequireOwnerRolePermission.value + parCustomerPolicySets = $varCustomerPolicySets + } + + $varDeploymentName = "deploy-customcompliance-$vartimeStamp" + $varCustomPolicySetExists = Confirm-PolicySetExists $varManagementGroupId "custom" + if ($varCustomPolicySetExists -eq $true) { + $varLoopCounter = 0; + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployCustomCompliance = $null + try { + Write-Information ">>> Custom compliance deployment started" -InformationAction Continue + + $modDeployCustomCompliance = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varCustomComplianceBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeployCustomCompliance) { + Write-Error "`n>>> Error occurred in custom policy set assignment." -ErrorAction Stop + } + if ($modDeployCustomCompliance.ProvisioningState -eq "Failed") { + Write-Error "Error occurred during custom compliance deployment." -ErrorAction Stop + } + + Write-Information ">>> Custom compliance completed `n" -InformationAction Continue + return $modDeployCustomCompliance + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployCustomCompliance) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in custom compliance deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } + } + else { + Write-Error ">>> The required custom policy sets were not found. Please try again after some time." -ErrorAction Stop + } +} + +<# +.Description + Assigns the default policy sets to the SLZ management groups based on convention +#> +function New-DefaultCompliance { + param($parDdosProtectionResourceId, $parLogAnalyticsWorkspaceId, $parAutomationAccountName, $parPrivateDnsResourceGroupId) + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $parAllowedLocations = $parParameters.parAllowedLocations.value + $parAllowedLocationsForConfidentialComputing = $parParameters.parAllowedLocationsForConfidentialComputing.value + + if ($parAllowedLocations -is [string]) { + $parAllowedLocations = -split $parAllowedLocations + } + + if ($parAllowedLocationsForConfidentialComputing -is [string]) { + $parAllowedLocationsForConfidentialComputing = -split $parAllowedLocationsForConfidentialComputing + } + + $varParams = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parAllowedLocations = $parAllowedLocations + parAllowedLocationsForConfidentialComputing = $parAllowedLocationsForConfidentialComputing + parDeployAlzDefaultPolicies = $parParameters.parDeployAlzDefaultPolicies.value + parDdosPlanResourceId = $parDdosProtectionResourceId + parLogAnalyticsWorkspaceId = $parLogAnalyticsWorkspaceId + parAutomationAccountName = $parAutomationAccountName + parLogAnalyticsWorkSpaceAndAutomationAccountLocation = $parDeploymentLocation + parPrivateDnsResourceGroupId = $parPrivateDnsResourceGroupId + parLogAnalyticsWorkspaceLogRetentionInDays = ($parParameters.parLogRetentionInDays.value).ToString() + parMsDefenderForCloudEmailSecurityContact = $parParameters.parMsDefenderForCloudEmailSecurityContact.value + parPolicyEffect = $parParameters.parPolicyEffect.value + } + + $varDeploymentName = "deploy-defaultcompliance-$vartimeStamp" + $varDefaultPolicySetExists = Confirm-PolicySetExists $varManagementGroupId "default" + if ($varDefaultPolicySetExists -eq $true) { + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployDefaultCompliance = $null; + try { + Write-Information ">>> Default compliance deployment started" -InformationAction Continue + + $modDeployDefaultCompliance = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varDefaultComplianceBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeployDefaultCompliance) { + $varRetry = $false + Write-Error "`n>>> Error occurred in default policy set assignment." -ErrorAction Stop + } + + if ($modDeployDefaultCompliance.ProvisioningState -eq "Failed") { + Write-Error "Error occurred during default compliance deployment." -ErrorAction Stop + } + + Write-Information ">>> Default compliance completed" -InformationAction Continue + return $modDeployDefaultCompliance + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployDefaultCompliance) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in default compliance deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } + } + else { + Write-Error ">>> The required default policy sets were not found. Please try again after some time." -ErrorAction Stop + return $false + } +} + +<# +.Description + On demand policy evaluation +#> +function Invoke-PolicyEvaluation { + param() + if ($parAttendedLogin) { + Write-Information ">>> In order to reflect the latest compliance data of policies, you will now be logged out of Azure and asked to re-login. Please authenticate when prompted." -InformationAction Continue + Disconnect-AzAccount + Connect-AzAccount + } + else { + return + } + Write-Information ">>> Trigerring policy scan." -InformationAction Continue + try { + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varSubscriptions = $null; + if (!$parParameters.parIdentitySubscriptionId.value -and !$parParameters.parConnectivitySubscriptionId.value -and !$parParameters.parManagementSubscriptionId.value) { + $varSubscriptions = Get-AzSubscription | Where-Object { $_.Name -like "$parDeploymentPrefix*$parDeploymentSuffix" -and $_.State -eq 'Enabled' } + } + else { + $varIdentitySubscriptionId = $parParameters.parIdentitySubscriptionId.value + $parConnectivitySubscriptionId = $parParameters.parConnectivitySubscriptionId.value + $varManagementSubscriptionId = $parParameters.parManagementSubscriptionId.value + $varSubscriptions = Get-AzSubscription | Where-Object { ($_.Id -eq "$varIdentitySubscriptionId" -or $_.Id -eq "$parConnectivitySubscriptionId" -or $_.Id -eq "$varManagementSubscriptionId") -and $_.State -eq 'Enabled' } + } + + if (!$varSubscriptions) { + Write-Error "Error while executing subscription list command" -ErrorAction Stop + } + $varSubscriptionCount = $varSubscriptions.count + if ($varSubscriptionCount -eq 0) { + Write-Information ">>> No subscriptions found" -InformationAction Continue + } + + $parInvokePolicyScanSync = $parParameters.parInvokePolicyScanSync.value + if ($parInvokePolicyScanSync) { + Write-Information ">>> Policy scan will be executed in synchronous mode. The process may take up to an hour." -InformationAction Continue + } + else { + Write-Information ">>> Policy scan will be executed in asynchronous mode." -InformationAction Continue + } + + $varSubscriptionCounter = 1 + foreach ($varSubscription in $varSubscriptions) { + $varSubscriptionId = $varSubscription.Id; + Write-Information "Executing policy evaluation scan for subscription id: $varSubscriptionId . Processing $varSubscriptionCounter out of $varSubscriptionCount. " -InformationAction Continue + $varSubscriptionCounter++ + + # This is not logic requirement, but have to register Microsoft.Network early to avoid Subscription XXXXX-XXXXX-XXXXXXX-XXXXXXX is not registered with NRP because of registration delay. + Write-Information ">>> Registering Microsoft.Network resource provider for existing subscriptions..." -InformationAction Continue + Set-AzContext -Subscription "$varSubscriptionId" + Register-AzResourceProvider -ProviderNamespace Microsoft.Network + + Write-Information "Registering policy insights resource provider for subscription id: $varSubscriptionId (May take upto 2 minutes)...." -InformationAction Continue + Set-AZContext -Subscription $varSubscriptionId + $varJob = Register-AzResourceProvider ` + -ProviderNamespace 'Microsoft.PolicyInsights' ` + -AsJob + $varJob | Wait-Job + + if ($parInvokePolicyScanSync) { + $varJob = Start-AzPolicyComplianceScan -AsJob + $varJob | Wait-Job + } + else { + Start-AzPolicyComplianceScan + } + } + Write-Information "Policy scan completed." -InformationAction Continue + } + catch { + $_ + Write-Error ">>> Error occurred during policy evaluation. Please try after addressing the above error." -ErrorAction Stop + } +} + +<# +.Description + Generates the Policies. +#> +function Invoke-PolicyGeneration { + + try { + + Write-Information ">>> Initiating Policy generation script" -InformationAction Continue + + $varInvokeSLZDefaultandCustomPolicy = '.\Invoke-SlzDefaultandCustomPolicyToBicep.ps1' + & $varInvokeSLZDefaultandCustomPolicy -parAttendedLogin $parAttendedLogin -ErrorAction Stop + + Write-Information ">>> Policy generation complete" -InformationAction Continue + return + } + catch { + $varTrace = $_.ScriptStackTrace + Write-Error ">>> Error occurred during executing policy generation script. Please try after addressing the below error: $_ $varTrace" -ErrorAction Stop + } +} + +<# +.Description + Gets the default and custom policy set definition name and versions. +#> +function Get-PolicySetDefinitionVersion { + $varTargetDirectories = "../../modules/compliance/policySetDefinitions", "../../custom/policies/definitions" + $varPolicySetDefinitionDict = @{} + foreach ($varDirectory in $varTargetDirectories) { + $varSlzPolicySetDefinitionFiles = Get-ChildItem -Path "$varDirectory/*.json" + foreach ($varFile in $varSlzPolicySetDefinitionFiles) { + $varFileName = $varFile.Name + Write-Debug "Processing $varFileName" + + $varFilePath = $varDirectory + "/" + $varFileName + $varJsonContent = Get-Content $varFilePath | ConvertFrom-Json + if ($varJsonContent.properties.policyDefinitions.Length -gt 0 -and $varJsonContent.name) { + $varPolicySetDefinitionDict[$varJsonContent.name] = $varJsonContent.properties.metadata.version + } + else { + Write-Information ">>> $varFileName not checked for version" -InformationAction Continue + } + } + return $varPolicySetDefinitionDict + } + +} + +<# +.Description + Creates the management group hierarchy and subscriptions at tenant level + Parameters: + parComplianceParametersFilePath -> path to the parameter file containing required parameters to deploy policies + varParameters -> hash table containing parameter name and value + modDeploySovereignPlatformOutputs -> hash table containing parameter outputs from platform deployment +#> +function New-Compliance { + param($parComplianceParametersFilePath, $parParameters, $parDeploySovereignPlatformOutputs) + + if (!$parParameters -and !$parDeploySovereignPlatformOutputs) { + $parParameters = Read-ParametersValue($parComplianceParametersFilePath) + $parDeployAlzDefaultPolicies = $parParameters.parDeployAlzDefaultPolicies.value + if ($parDeployAlzDefaultPolicies) { + $varComplianceRequiredParams = $varComplianceRequiredParams + $varAlzDefaultPolicyRequiredParams + } + Confirm-Parameters($varComplianceRequiredParams) + Get-DonotRetryErrorCodes + } + + if ($parDeploySovereignPlatformOutputs) { + $varDeployHubNetwork = $parParameters.parDeployHubNetwork.value + $varDeployDdosProtection = $parParameters.parDeployDdosProtection.value + if ($varDeployHubNetwork -and $varDeployDdosProtection) { + $varDdosProtectionResourceId = $parDeploySovereignPlatformOutputs.outputs.outDdosProtectionResourceId.value + } + else { + $varDdosProtectionResourceId = $parParameters.parDdosProtectionResourceId.value + } + + $varDeployLogAnalyticsWorkspace = $parParameters.parDeployLogAnalyticsWorkspace.value + if ($varDeployLogAnalyticsWorkspace) { + $parLogAnalyticsWorkspaceId = $parDeploySovereignPlatformOutputs.outputs.outLogAnalyticsWorkspaceId.value + } + else { + $parLogAnalyticsWorkspaceId = $parParameters.parLogAnalyticsWorkspaceId.value + } + + $varAutomationAccountName = $parDeploySovereignPlatformOutputs.outputs.outAutomationAccountName.value + $varPrivateDnsZones = $parDeploySovereignPlatformOutputs.outputs.outPrivateDNSZones.value + $varPrivateDnsResourceGroupId = Get-PrivateDnsResourceGroupId $varPrivateDnsZones $parParameters + } + else { + $varDdosProtectionResourceId = $parParameters.parDdosProtectionResourceId.value + $parLogAnalyticsWorkspaceId = $parParameters.parLogAnalyticsWorkspaceId.value + $varAutomationAccountName = $parParameters.parAutomationAccountName.value + $varPrivateDnsResourceGroupId = $parParameters.parPrivateDnsResourceGroupId.value + } + + # Get the old policy assignments + $varListOfUpdatedPolicySetDefinitionIds = Get-PolicyAssignmentsandExemptions $parParameters + + # Generate Default and custom policy sets + Invoke-PolicyGeneration + #Install default and custom policy sets + New-InstallPolicySets + # Assign default policy sets + $modDeployDefaultCompliance = New-DefaultCompliance $varDdosProtectionResourceId $parLogAnalyticsWorkspaceId $varAutomationAccountName $varPrivateDnsResourceGroupId + if (!$modDeployDefaultCompliance) { + Write-Error "Default compliance deployment script failed." -ErrorAction Stop + } + # Assign custom policy sets + $modDeployCustomCompliance = New-CustomCompliance + if (!$modDeployCustomCompliance) { + Write-Error "Custom compliance deployment script failed." -ErrorAction Stop + } + + #Run policy exemption + Invoke-PolicyExemption $null $parParameters + #Run policy evaluation to update policy compliance state + Invoke-PolicyEvaluation + $parInvokePolicyScanSync = $parParameters.parInvokePolicyScanSync.value + if (!$parInvokePolicyScanSync) { + Write-Information ">>> Currently it is not possible to track progress of policy scan when executed asynchronously. Please execute the policy remediation after 24 hours by selecting the 'policyremediation' deployment option." -InformationAction Continue + } + else { + #Run policy remediation to reflect policy compliance state + Invoke-PolicyRemediation $null $parParameters + } + + #Removes the old policy assignments + Remove-PolicyAssignmentsandExemptions $varListOfUpdatedPolicySetDefinitionIds +} diff --git a/orchestration/scripts/New-Dashboard.ps1 b/orchestration/scripts/New-Dashboard.ps1 new file mode 100644 index 00000000..b33cc142 --- /dev/null +++ b/orchestration/scripts/New-Dashboard.ps1 @@ -0,0 +1,115 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script deploys dashboard as part of SLZ deployment. +#> +param ( + $parAttendedLogin = $true +) +. ".\Invoke-Helper.ps1" + +#variables +$varDashboardBicepFilePath = '..\dashboard\dashboard.bicep' +$varDashboardRequiredParams = @('parDeploymentPrefix', 'parDeploymentLocation', 'parManagementSubscriptionId') + +<# +.Description + Creates the SLZ Dashboard under the management group + Parameters: + parDashboardParametersFilePath -> path to the parameter file containing required parameters to deploy dashboard + varParameters -> hash table containing parameter name and value + modDeployBootstrapOutputs -> hash table containing parameter outputs from bootstrap deployment +#> +function New-Dashboard { + param($parDashboardParametersFilePath, $parParameters, $parDeployBootstrapOutputs) + + if (!$parParameters -and !$parDeployBootstrapOutputs) { + $parParameters = Read-ParametersValue($parDashboardParametersFilePath) + Confirm-Parameters($varDashboardRequiredParams) + Get-DonotRetryErrorCodes + } + + if ($parDeployBootstrapOutputs) { + $varManagementSubscriptionId = $parDeployBootstrapOutputs.outputs.outManagementSubscriptionId.value + } + else { + $varManagementSubscriptionId = $parParameters.parManagementSubscriptionId.value + } + + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $varDeploymentName = "deploy-dashboard-$vartimeStamp" + + $varParams = @{ + parDeploymentLocation = $parDeploymentLocation + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parManagementSubscriptionId = $varManagementSubscriptionId + parCustomer = $parParameters.parCustomer.value + parTags = Convert-ToHashTable($parParameters.parTags.value) + } + $varLoopCounter = 0; + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployDashboard = $null + try { + Write-Information ">>> Dashboard deployment started" -InformationAction Continue + + $modDeployDashboard = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varDashboardBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeployDashboard) { + $varRetry = $false + Write-Error "Error while executing dashboard deployment" -ErrorAction Stop + } + if ($modDeployDashboard.ProvisioningState -eq "Failed") { + Write-Error "Error occurred during dashboard deployment." -ErrorAction Stop + } + + Write-Information ">>> Dashboard deployment completed `n" -InformationAction Continue + + if (!$parAttendedLogin) { + Write-Information ">>> Please note: it can take up to 24 hours for the dashboard to reflect the latest data." -InformationAction Continue + } + + return $modDeployDashboard + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployDashboard) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in dashboard deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} diff --git a/orchestration/scripts/New-Platform.ps1 b/orchestration/scripts/New-Platform.ps1 new file mode 100644 index 00000000..d1ac5df7 --- /dev/null +++ b/orchestration/scripts/New-Platform.ps1 @@ -0,0 +1,164 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script deploys platform as part of SLZ deployment. +#> +param ( + $parAttendedLogin = $true +) +. ".\Invoke-Helper.ps1" + +#variables +$varSovereignPlatformBicepFilePath = '..\sovereignPlatform\sovereignPlatform.bicep' +$varPlatformRequiredParams = @('parDeploymentPrefix', 'parDeploymentLocation', 'parManagementSubscriptionId', 'parIdentitySubscriptionId', 'parConnectivitySubscriptionId') +<# +.Description + Deploys resources and resource groups to subscriptions + Parameters: + parPlatformParametersFilePath -> path to the parameter file containing required parameters to deploy platform + varParameters -> hash table containing parameter name and value + modDeployBootstrapOutputs -> hash table containing parameter outputs from bootstrap deployment +#> +function New-Platform { + param($parPlatformParametersFilePath, $parParameters, $parDeployBootstrapOutputs) + + if (!$parParameters -and !$parDeployBootstrapOutputs) { + $parParameters = Read-ParametersValue($parPlatformParametersFilePath) + Confirm-Parameters($varPlatformRequiredParams) + Get-DonotRetryErrorCodes + } + + if ($parDeployBootstrapOutputs) { + $varConnectivitySubscriptionId = $parDeployBootstrapOutputs.outputs.outConnectivitySubscriptionId.value + $varIdentitySubscriptionId = $parDeployBootstrapOutputs.outputs.outIdentitySubscriptionId.value + $varManagementSubscriptionId = $parDeployBootstrapOutputs.outputs.outManagementSubscriptionId.value + } + else { + $varConnectivitySubscriptionId = $parParameters.parConnectivitySubscriptionId.value + $varIdentitySubscriptionId = $parParameters.parIdentitySubscriptionId.value + $varManagementSubscriptionId = $parParameters.parManagementSubscriptionId.value + } + if ([string]::IsNullOrEmpty($varConnectivitySubscriptionId) -or [string]::IsNullOrEmpty($varIdentitySubscriptionId) -or [string]::IsNullOrEmpty($varManagementSubscriptionId)) { + Write-Error "One or more subscription id is missing. Please rerun the deployment." -ErrorAction stop + } + + $modCheckSubscriptionsExistsOutput = Confirm-SubscriptionsExists $varConnectivitySubscriptionId $varManagementSubscriptionId $varIdentitySubscriptionId + if ($modCheckSubscriptionsExistsOutput) { + Write-Information ">>>Subscriptions found" -InformationAction Continue + } + else { + Write-Error "One or more subscription not found. Please rerun the deployment." -ErrorAction stop + } + + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $parDeployBastion = $parParameters.parDeployBastion.value + $varSubnets = Convert-ToArray($parParameters.parCustomSubnets.value) + $varSubnets += Build-SubnetJsonObject("AzureBastionSubnet", $parParameters.parAzureBastionSubnet.value) + $varSubnets += Build-SubnetJsonObject("GatewaySubnet", $parParameters.parGatewaySubnet.value) + $varSubnets += Build-SubnetJsonObject("AzureFirewallSubnet", $parParameters.parAzureFirewallSubnet.value) + + Confirm-BastionRequiredValue $parDeployBastion $varSubnets + $deploymentName = "deploy-platform-$vartimeStamp" + $varParams = @{ + parConnectivitySubscriptionId = $varConnectivitySubscriptionId + parIdentitySubscriptionId = $varIdentitySubscriptionId + parManagementSubscriptionId = $varManagementSubscriptionId + parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + parDeployDdosProtection = $parParameters.parDeployDdosProtection.value + parDeployHubNetwork = $parParameters.parDeployHubNetwork.value + parUsePremiumFirewall = $parParameters.parUsePremiumFirewall.value + parEnableFirewall = $parParameters.parEnableFirewall.value + parLogRetentionInDays = $parParameters.parLogRetentionInDays.value + parDeploymentLocation = $parParameters.parDeploymentLocation.value + parHubNetworkAddressPrefix = $parParameters.parHubNetworkAddressPrefix.value + parDeployBastion = $parParameters.parDeployBastion.value + parSubnets = $varSubnets + parExpressGatewaySku = $parParameters.parExpressRouteGatewayConfig.value.sku + parExpressGatewayVpntype = $parParameters.parExpressRouteGatewayConfig.value.vpntype + parExpressGatewayGeneration = $parParameters.parExpressRouteGatewayConfig.value.vpnGatewayGeneration + parExpressGatewayEnableBgp = $parParameters.parExpressRouteGatewayConfig.value.enableBgp + parExpressGatewayActiveActive = $parParameters.parExpressRouteGatewayConfig.value.activeActive + parExpressGatewayEnableBgpRouteTranslationForNat = $parParameters.parExpressRouteGatewayConfig.value.enableBgpRouteTranslationForNat + parExpressGatewayEnableDnsForwarding = $parParameters.parExpressRouteGatewayConfig.value.enableDnsForwarding + parExpressGatewayAsn = [string]::IsNullOrEmpty($parParameters.parExpressRouteGatewayConfig.value.asn) ? 65515 : $parParameters.parExpressRouteGatewayConfig.value.asn + parExpressGatewayBgpPeeringAddress = $parParameters.parExpressRouteGatewayConfig.value.bgpPeeringAddress + parExpressGatewayPeerWeight = [string]::IsNullOrEmpty($parParameters.parExpressRouteGatewayConfig.value.peerWeight) ? 5 : $parParameters.parExpressRouteGatewayConfig.value.peerWeight + parVpnGatewaySku = $parParameters.parVpnGatewayConfig.value.sku + parVpnGatewayVpntype = $parParameters.parVpnGatewayConfig.value.vpntype + parVpnGatewayGeneration = $parParameters.parVpnGatewayConfig.value.generation + parVpnGatewayEnableBgp = $parParameters.parVpnGatewayConfig.value.enableBgp + parVpnGatewayActiveActive = $parParameters.parVpnGatewayConfig.value.activeActive + parVpnGatewayEnableBgpRouteTranslationForNat = $parParameters.parVpnGatewayConfig.value.enableBgpRouteTranslationForNat + parVpnGatewayEnableDnsForwarding = $parParameters.parVpnGatewayConfig.value.enableDnsForwarding + parVpnGatewayAsn = [string]::IsNullOrEmpty($parParameters.parVpnGatewayConfig.value.asn) ? 65515 : $parParameters.parVpnGatewayConfig.value.asn + parVpnGatewayBgpPeeringAddress = $parParameters.parVpnGatewayConfig.value.bgpPeeringAddress + parVpnGatewayPeerWeight = [string]::IsNullOrEmpty($parParameters.parVpnGatewayConfig.value.peerWeight) ? 5 : $parParameters.parVpnGatewayConfig.value.peerWeight + parBastionOutboundSshRdpPorts = $parParameters.parBastionOutboundSshRdpPorts.value + parDeployLogAnalyticsWorkspace = $parParameters.parDeployLogAnalyticsWorkspace.value + parTags = Convert-ToHashTable($parParameters.parTags.value) + } + $varLoopCounter = 0; + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeploySovereignPlatform = $null + try { + Write-Information ">>> Platform deployment started" -InformationAction Continue + + $modDeploySovereignPlatform = New-AzManagementGroupDeployment ` + -Name $deploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varSovereignPlatformBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeploySovereignPlatform) { + $varRetry = $false + Write-Error "Error while executing platform deployment script" -ErrorAction Stop + } + + if ($modDeploySovereignPlatform.ProvisioningState -eq "Failed") { + Write-Error "`n Error while executing platform deployment" -ErrorAction Stop + } + + Write-Information ">>> Platform deployment completed" -InformationAction Continue + # update parameters + Out-DeploymentParameters "platform" $modDeploySovereignPlatform $varManagementGroupId $parParameters + return $modDeploySovereignPlatform + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeploySovereignPlatform) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $deploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in platform deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} diff --git a/orchestration/scripts/New-PolicyExemption.ps1 b/orchestration/scripts/New-PolicyExemption.ps1 new file mode 100644 index 00000000..98b6bade --- /dev/null +++ b/orchestration/scripts/New-PolicyExemption.ps1 @@ -0,0 +1,120 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script creates policy exemptions. +#> +param ( + $parAttendedLogin = $true +) +. ".\Invoke-Helper.ps1" + +#variables +$varPolicyExemptionRequiredParams = @('parDeploymentPrefix', 'parDeploymentLocation', 'parPolicyExemptions') +$varPolicyExemptionBicepFilePath = '..\policyExemption\policyExemption.bicep' + +<# +.Description + The function call is to create policy exmeptions for the policies that needs to be exempted + Parameters: + parPolicyExemptionParametersFilePath -> path to the parameter file containing required parameters to create policy exemptions + parParameters -> hash table containing parameter name and value +#> +function Invoke-PolicyExemption { + param($parPolicyExemptionParametersFilePath, $parParameters) + + if (!$parParameters) { + $parParameters = Read-ParametersValue($parPolicyExemptionParametersFilePath) + Get-DonotRetryErrorCodes + } + + if (($null -eq $parParameters.parPolicyExemptions.value) -or ($parParameters.parPolicyExemptions.value.count -eq 0)) { + return + } + + Confirm-Parameters($varPolicyExemptionRequiredParams) + $varPolicyExemptions = $parParameters.parPolicyExemptions.value + foreach ($varPolicyExemption in $varPolicyExemptions) { + New-Exemption $varPolicyExemption + } +} + +<# +.Description + deploys Policy Exemptions +#> +function New-Exemption { + param($parPolicyExemption) + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $varParams = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parPolicyAssignmentName = $parPolicyExemption.parPolicyAssignmentName + parPolicyAssignmentScopeName = $parPolicyExemption.parPolicyAssignmentScopeName + parPolicyExemptionName = $parPolicyExemption.parPolicyExemptionName + parPolicyExemptionDisplayName = $parPolicyExemption.parPolicyExemptionDisplayName + parDescription = $parPolicyExemption.parPolicyExemptionDescription + parPolicyExemptionManagementGroup = $parPolicyExemption.parPolicyExemptionManagementGroup + parPolicyDefinitionReferenceIds = $parPolicyExemption.parPolicyDefinitionReferenceIds + } + + $varDeploymentName = "deploy-policyExemptions-$vartimeStamp" + $varLoopCounter = 0; + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployPolicyExemption = $null + try { + Write-Information ">>> Policy exemption deployment started" -InformationAction Continue + + $modDeployPolicyExemption = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varPolicyExemptionBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $varParams ` + -WarningAction Ignore + + if (!$modDeployPolicyExemption) { + Write-Error "`n>>> Error occured in policy exemption" -ErrorAction Stop + } + if ($modDeployPolicyExemption.ProvisioningState -eq "Failed") { + Write-Error "`n Error while executing policy exemption deployment" -ErrorAction Stop + } + + Write-Information ">>> Policy exemption completed" -InformationAction Continue + return + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployPolicyExemption) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in policy exemption deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} diff --git a/orchestration/scripts/New-PolicyRemediation.ps1 b/orchestration/scripts/New-PolicyRemediation.ps1 new file mode 100644 index 00000000..949b9331 --- /dev/null +++ b/orchestration/scripts/New-PolicyRemediation.ps1 @@ -0,0 +1,159 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS + The powershell script creates policy remediations. +#> +param ( + $parAttendedLogin = $true +) +. ".\Invoke-Helper.ps1" + +#variables +$varPolicyRemediationRequiredParams = @('parDeploymentPrefix', 'parDeploymentLocation') +$varPolicyRemediationBicepFilePath = '..\policyRemediation\policyRemediation.bicep' + +<# +.Description + The function call is to create policy remediations for the policies that needs to be remediated + Parameters: + parPolicyExemptionParametersFilePath -> path to the parameter file containing required parameters to create policy remediations + parParameters -> hash table containing parameter name and value +#> +function Invoke-PolicyRemediation { + param($parPolicyRemediationParametersFilePath, $parParameters) + + if (!$parParameters) { + $parParameters = Read-ParametersValue $parPolicyRemediationParametersFilePath + Confirm-Parameters $varPolicyRemediationRequiredParams + } + + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + + $varPolicyStateList = Get-AzPolicyState -ManagementGroupName $varManagementGroupId -Filter "(PolicyDefinitionAction eq 'deployifnotexists' or PolicyDefinitionAction eq 'modify') and ComplianceState eq 'NonCompliant'" + + if ( $null -ne $varPolicyStateList) { + $varPolicyCount = $varPolicyStateList.Count + Write-Information ">>> Starting policy remediation deployment" -InformationAction Continue + + $varPolicyCounter = 1 + foreach ($varPolicy in $varPolicyStateList) { + Write-Information "Remediating policy $varPolicyCounter out of $varPolicyCount policies." -InformationAction Continue + $varPolicyCounter++ + New-Remediation $varPolicy + } + } + else { + Write-Information "No policies found for remediation." -InformationAction Continue + } +} + +<# +.Description + Deploys Policy Remediation +#> +function New-Remediation { + param($parPolicy) + + $varPolicySetDefinitionName = $parPolicy.policySetDefinitionName + $varGuid = New-Guid + $varDeploymentName = ("$varGuid" + $varPolicySetDefinitionName) + $varDeploymentName = $varDeploymentName.Length -ge 64 ? $varDeploymentName.Substring(0, 64) : $varDeploymentName + $parDeploymentPrefix = $parParameters.parDeploymentPrefix.value + $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value + $varManagementGroupId = "$parDeploymentPrefix$parDeploymentSuffix" + $parDeploymentLocation = $parParameters.parDeploymentLocation.value + $parPolicyAssignmentScope = $parPolicy.policyAssignmentScope + $varPattern = "$([regex]::escape($parDeploymentPrefix))(.*)" + $varRegExResult = $parPolicyAssignmentScope | Select-String -Pattern $varPattern + $parManagementGroupScope = $varRegExResult.Matches[0].Value + $parParams = @{ + parDeploymentPrefix = $parDeploymentPrefix + parDeploymentSuffix = $parDeploymentSuffix + parPolicyRemediationName = "rem-" + $varDeploymentName + parPolicyAssignmentId = $parPolicy.policyAssignmentId + parPolicyDefinitionReferenceId = $parPolicy.policyDefinitionReferenceId + parManagementGroupScope = $parManagementGroupScope + } + + $parInvokePolicyRemediationSync = $parParameters.parInvokePolicyRemediationSync.value + $varRetry = $true + while ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + $modDeployPolicyRemediation = $null + try { + if ($parInvokePolicyRemediationSync) { + $varJob = $modDeployPolicyRemediation = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varPolicyRemediationBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $parParams ` + -WarningAction Ignore ` + -AsJob + $varJob | Wait-Job + + + if (!$modDeployPolicyRemediation) { + Write-Error "`n>>> Error occured in policy remediation" -ErrorAction Stop + } + + if ($modDeployPolicyRemediation.ProvisioningState -eq "Failed") { + Write-Error "`n Error while executing policy remediation deployment" -ErrorAction Stop + } + + Write-Information ">>> Policy remediation $parRemediationName completed." -InformationAction Continue + return + } + else { + $modDeployPolicyRemediation = New-AzManagementGroupDeployment ` + -Name $varDeploymentName ` + -Location $parDeploymentLocation ` + -TemplateFile $varPolicyRemediationBicepFilePath ` + -ManagementGroupId $varManagementGroupId ` + -TemplateParameterObject $parParams ` + -WarningAction Ignore + + if ($modDeployPolicyRemediation) { + Write-Error "`n>>> Error occured in policy remediation" -ErrorAction Stop + } + if ($modDeployPolicyRemediation.ProvisioningState -eq "Failed") { + Write-Error "`n Error while executing policy remediation deployment" -ErrorAction Stop + } + + Write-Information ">>> Policy remediation $parRemediationName scheduled." -InformationAction Continue + return + } + } + catch { + $varException = $_.Exception + $varErrorDetails = $_.ErrorDetails + $varTrace = $_.ScriptStackTrace + if (!$varRetry) { + Write-Error ">>> Validation error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + if (!$modDeployPolicyRemediation) { + Write-Error ">>> Error occurred during execution . Please try after addressing the error : $varException \n $varErrorDetails \n $varTrace" -ErrorAction Stop + } + else { + $varDeploymentErrorCodes = Get-FailedDeploymentErrorCodes $varManagementGroupId $varDeploymentName $varManagementGroupDeployment + if ($null -eq $varDeploymentErrorCodes) { + $varRetry = $false + } + else { + $varLoopCounter++ + $varRetry = Confirm-Retry $varDeploymentErrorCodes + if ($varRetry -and $varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { + Write-Information ">>> Retrying deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue + Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry + } + else { + $varRetry = $false + Write-Error ">>> Error occurred in policy remediation deployment. Please try after addressing the above error." -ErrorAction Stop + } + } + } + } + } +} diff --git a/orchestration/scripts/New-SovereignLandingZone.ps1 b/orchestration/scripts/New-SovereignLandingZone.ps1 new file mode 100644 index 00000000..7deb2977 --- /dev/null +++ b/orchestration/scripts/New-SovereignLandingZone.ps1 @@ -0,0 +1,138 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +<# +.SYNOPSIS +This PowerShell script serves as the overarching script to deploy SLZ either in its entirety or in a piecemeal manner the below individual modules. + +.DESCRIPTION +- Executes the individual modules - bootstrap, platform, compliance, policyexemption, dashboard or all +- bootstrap deploys the management groups and subscriptions +- platform deploys the resource groups in each of the subscriptions along with the networking resources. +- compliance installs the policy sets and assigns them to the individual management groups based on convention +- dashboard deploys the SLZ specific dashboard in the management subscription +- policyexemption exempts the policies defined in parameter parPolicyExemptions. +- policy remediation remediates policies that can be remediated and updates compliance status +#> + +using namespace System.Collections + +param ( + $parDeployment = $(Read-Host -prompt "Please choose the deployment type from - all, bootstrap, platform, compliance, dashboard, policyexemption, policyremediation"), + $parParametersFilePath = ".\parameters\sovereignLandingZone.parameters.json", + $parAttendedLogin = $true +) + +$varDeploy = @("all", "bootstrap", "platform", "compliance", "dashboard", "policyexemption", "policyremediation") +if ($parDeployment -notin $varDeploy) { + Write-Error "Invalid Input. Please choose from the given options" -ErrorAction Stop +} +Write-Information ">>> If you are running this deployment in admin mode and left mouse click in the PowerShell window, a text selection rectangle will appear and deployment will halt. Press the Enter key to continue the deployment." -InformationAction Continue + + +#reference to individual scripts +. ".\Invoke-Helper.ps1" +. ".\New-Bootstrap.ps1" -parAttendedLogin $parAttendedLogin +. ".\New-Platform.ps1" -parAttendedLogin $parAttendedLogin +. ".\New-PolicyExemption.ps1" -parAttendedLogin $parAttendedLogin +. ".\New-PolicyRemediation.ps1" -parAttendedLogin $parAttendedLogin +. ".\New-Compliance.ps1" -parAttendedLogin $parAttendedLogin +. ".\New-Dashboard.ps1" -parAttendedLogin $parAttendedLogin + +$varAllRequiredParams = @('parDeploymentPrefix', 'parTopLevelManagementGroupName', 'parSubscriptionBillingScope', 'parCustomer', 'parDeploymentLocation', 'parAllowedLocations', 'parAllowedLocationsForConfidentialComputing') + +# Code execution starts here and is the entry point to the function invocations +Get-DonotRetryErrorCodes +$varParameters = Read-ParametersValue($parParametersFilePath) + +if ($parAttendedLogin) { + + $parIsSLZDeployedAtTenantRoot = $true + if ($null -ne $varParameters.parTopLevelManagementGroupParentId.value) { + $parIsSLZDeployedAtTenantRoot = $false + } + + # Confirm Sovereign Landing Zone Prerequisites + Confirm-Prerequisites $parIsSLZDeployedAtTenantRoot +} + +$vartimeStamp = Get-Date -Format "yyyyMMddHHmmss" +$varParameters.add('parDeploymentStartTime', $vartimeStamp) +switch ($parDeployment) { + 'bootstrap' { + Confirm-Parameters($varBootstrapRequiredParams) + $modDeployBootstrap = New-Bootstrap $null $varParameters + if ($modDeployBootstrap) { + Show-ManagementGroupInfo $varParameters + } + + return $modDeployBootstrap + } + + 'platform' { + Confirm-Parameters($varPlatformRequiredParams) + New-Platform $null $varParameters $null + Move-Subscription $varParameters $null + + } + + 'compliance' { + $parDeployAlzDefaultPolicies = $varParameters.parDeployAlzDefaultPolicies.value + if ($parDeployAlzDefaultPolicies) { + $varComplianceRequiredParams = $varComplianceRequiredParams + $varAlzDefaultPolicyRequiredParams + } + Confirm-Parameters($varComplianceRequiredParams) + New-Compliance $null $varParameters $null + } + + 'dashboard' { + Confirm-Parameters($varDashboardRequiredParams) + $modDashboard = New-Dashboard $null $varParameters $null + if ($modDashboard) { + Show-DashboardInfo $varParameters $null + } + + return $modDashboard + } + + 'policyexemption' { + #Run policy exemption + Invoke-PolicyExemption $null $varParameters + } + + 'policyremediation' { + Confirm-Parameters($varPolicyRemediationRequiredParams) + Invoke-PolicyRemediation $null $varParameters + } + + 'all' { + #Validate Parameters + Confirm-Parameters($varAllRequiredParams) + + #bootstrap + $modDeployBootstrapOutputs = New-bootstrap $null $varParameters + if (!$modDeployBootstrapOutputs) { + Write-Error "Bootstrap deployment script failed." -ErrorAction Stop + } + + #Platform + $modDeploySovereignPlatformOutputs = New-Platform $null $varParameters $modDeployBootstrapOutputs + if (!$modDeploySovereignPlatformOutputs) { + Write-Error "Platform deployment script failed." -ErrorAction Stop + } + + #Move Subscription + Move-Subscription $varParameters $modDeployBootstrapOutputs + + #Compliance + New-Compliance $null $varParameters $modDeploySovereignPlatformOutputs + + #Dashboard + $modDashboard = New-Dashboard $null $varParameters $modDeployBootstrapOutputs + if (!$modDashboard) { + Write-Error "Dashboard deployment script failed." -ErrorAction Stop + } + + Show-ManagementGroupInfo $varParameters + Show-DashboardInfo $varParameters $modDeployBootstrapOutputs + } +} diff --git a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json new file mode 100644 index 00000000..1324ea34 --- /dev/null +++ b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json @@ -0,0 +1,494 @@ +{ + "contentVersion": "1.0.0.0", + "description": "", + "parameters": { + "parDeploymentPrefix": { + "type": "string", + "usedBy": "all, bootstrap, compliance, platform, and dashboard", + "minLength": 2, + "maxLength": 5, + "defaultValue": "mcfs", + "value": null, + "description": "Prefix added to all Azure resources created by the SLZ Preview." + }, + "parTopLevelManagementGroupName": { + "type": "string", + "usedBy": "all and bootstrap", + "defaultValue": "Microsoft Cloud for Sovereignty", + "value": null, + "description": "The name of the top-level management group for the SLZ Preview." + }, + "parDeploymentSuffix": { + "type": "string", + "usedBy": "all, bootstrap, compliance, platform, dashboard", + "maxLength": 5, + "defaultValue": null, + "value": null, + "description": "Optional suffix that will be added to all Azure resources created by the the SLZ Preview. Use a '-' at the start of the suffix value if a dash is needed." + }, + "parTopLevelManagementGroupParentId": { + "type": "string", + "usedBy": "all and bootstrap", + "sampleValue": "/providers/Microsoft.Management/managementGroups/replace_with_parent_management_group_id", + "defaultValue": null, + "value": null, + "description": "Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty (default) will deploy beneath Tenant Root Management Group." + }, + "parSubscriptionBillingScope": { + "type": "string", + "usedBy": "all and bootstrap", + "sampleValue": "Format for EA - /providers/Microsoft.Billing/BillingAccounts/{BillingAccountId}/enrollmentAccounts/{EnrollmentAccountId}", + "defaultValue": null, + "value": null, + "description": "The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in." + }, + "parCustomer": { + "type": "string", + "usedBy": "all and dashboard", + "defaultValue": "Country/Region", + "value": null, + "description": "The name of the organization deploying the SLZ Preview to brand the compliance dashboard appropriately." + }, + "parDeploymentLocation": { + "type": "string", + "usedBy": "all, platform, and dashboard", + "defaultValue": null, + "value": null, + "allowedValues": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "qatarcentral", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "swedencentral", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus3" + ], + "description": "Location used for deploying Azure resources." + }, + "parAllowedLocations": { + "type": "array", + "usedBy": "all and compliance", + "defaultValue": [], + "value": [], + "allowedValues": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "qatarcentral", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "swedencentral", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus3" + ], + "description": "Full list of Azure regions allowed by policy where resources can be deployed that should include at least the parDeploymentLocation." + }, + "parAllowedLocationsForConfidentialComputing": { + "type": "array", + "usedBy": "all and compliance", + "defaultValue": [], + "value": [], + "allowedValues": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "qatarcentral", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "swedencentral", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus3" + ], + "description": "Full list of Azure regions allowed by policy where Confidential computing resources can be deployed. This may be a completely different list from parAllowedLocations." + }, + "parDeployDdosProtection": { + "type": "bool", + "usedBy": "all, platform and compliance", + "defaultValue": true, + "value": null, + "description": "Toggles deployment of Azure DDOS protection. True to deploy, otherwise false." + }, + "parDeployHubNetwork": { + "type": "bool", + "usedBy": "all and platform", + "defaultValue": true, + "value": null, + "description": "Toggles deployment of the hub VNET. True to deploy, otherwise false." + }, + "parEnableFirewall": { + "type": "bool", + "usedBy": "all and platform", + "defaultValue": true, + "value": null, + "description": "Toggles deployment of Azure Firewall. True to deploy, otherwise false." + }, + "parUsePremiumFirewall": { + "type": "bool", + "usedBy": "all and platform", + "defaultValue": true, + "value": null, + "description": "Toggles deployment of the Premium SKU for Azure Firewall and only used if parEnableFirewall is enabled. True to use Premium SKU, otherwise false." + }, + "parHubNetworkAddressPrefix": { + "type": "string", + "usedBy": "all and platform", + "defaultValue": "10.20.0.0/16", + "value": null, + "description": "CIDR range for the hub VNET." + }, + "parAzureBastionSubnet": { + "type": "string", + "usedBy": "all and platform", + "defaultValue": "10.20.15.0/24", + "value": null, + "description": "CIDR range for the Azure Bastion subnet." + }, + "parGatewaySubnet": { + "type": "string", + "usedBy": "all and platform", + "defaultValue": "10.20.252.0/24", + "value": null, + "description": "CIDR range for the Gateway subnet." + }, + "parAzureFirewallSubnet": { + "type": "string", + "usedBy": "all and platform", + "defaultValue": "10.20.254.0/24", + "value": null, + "description": "CIDR range for the Azure Firewall subnet." + }, + "parCustomSubnets": { + "type": "array", + "usedBy": "all and platform", + "sampleValue": [ + { + "name": "CustomSubnet1", + "ipAddressRange": "xx.xx.xx.xx/xx" + }, + { + "name": "CustomSubnet2", + "ipAddressRange": "xxx.xxx.xxx.xxx/xx" + } + ], + "defaultValue": [], + "value": [], + "description": "List of other subnets to deploy on the hub VNET and their CIDR ranges." + }, + "parLogRetentionInDays": { + "type": "int", + "usedBy": "all, compliance, and platform", + "minValue": 30, + "maxValue": 730, + "defaultValue": 365, + "value": null, + "description": "Length of time, in days, to retain log files with usage enforced by ALZ policies." + }, + "parManagementSubscriptionId": { + "type": "string", + "usedBy": "bootstrap, platform and dashboard", + "defaultValue": null, + "value": null, + "description": "Optional management subscription ID when using an existing subscription." + }, + "parIdentitySubscriptionId": { + "type": "string", + "usedBy": "bootstrap and platform", + "defaultValue": null, + "value": null, + "description": "Optional identity subscription ID when using an existing subscription." + }, + "parConnectivitySubscriptionId": { + "type": "string", + "usedBy": "bootstrap and platform", + "defaultValue": null, + "value": null, + "description": "Optional connectivity subscription ID when using an existing subscription." + }, + "parDdosProtectionResourceId": { + "type": "string", + "usedBy": "platform", + "defaultValue": null, + "value": null, + "description": "Optional resource ID for an existing DDoS plan with usage enforced by ALZ policies." + }, + "parLogAnalyticsWorkspaceId": { + "type": "string", + "usedBy": "compliance", + "defaultValue": null, + "value": null, + "description": "Optional resource ID for an existing Log Analytics Workspace with usage enforced by ALZ policies." + }, + "parRequireOwnerRolePermission": { + "type": "bool", + "usedBy": "all and compliance", + "defaultValue": false, + "value": null, + "description": "Set this to true if any policies in the initiative include a modify effect." + }, + "parPolicyExemptions": { + "type": "array of objects", + "usedBy": "policyexemptions", + "valueFormat": [ + { + "parPolicyExemptionManagementGroup": null, + "parPolicyAssignmentName": null, + "parPolicyAssignmentScopeName": null, + "parPolicyDefinitionReferenceIds": [], + "parPolicyExemptionName": null, + "parPolicyExemptionDisplayName": null, + "parPolicyExemptionDescription": null + } + ], + "defaultValue": [], + "value": [], + "description": "Optional list of policy exemptions." + }, + "parExpressRouteGatewayConfig": { + "type": "Object", + "usedBy": "all and platform", + "sampleValue": { + "sku": "standard", + "vpntype": "RouteBased", + "vpnGatewayGeneration": null, + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": 65515, + "bgpPeeringAddress": "", + "peerWeight": 5 + }, + "value": null, + "description": "Optional configuration options for the ExpressRoute Gateway." + }, + "parVpnGatewayConfig": { + "type": "Object", + "usedBy": "all and platform", + "sampleValue": { + "sku": "VpnGw1", + "vpntype": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "asn": 65515, + "bgpPeeringAddress": "", + "peerWeight": 5 + }, + "value": null, + "description": "Optional configuration options for the VPN Gateway." + }, + "parDeployBastion": { + "type": "bool", + "usedBy": "all and platform", + "defaultValue": true, + "value": null, + "description": "Toggles deployment of Azure Bastion. True to deploy, otherwise false." + }, + "parLandingZoneMgChildren": { + "type": "array of objects", + "usedBy": "all and bootstrap", + "sampleValue": [ + { + "id": "MG1", + "displayName": "Child MG 1" + }, + { + "id": "MG2", + "displayName": "Child MG 2" + } + ], + "defaultValue": [], + "value": [], + "description": "Optional array of child management groups to deploy under the SLZ Preview Landing Zones management group." + }, + "parDeployAlzDefaultPolicies": { + "type": "bool", + "usedBy": "all and compliance", + "defaultValue": true, + "value": null, + "description": "Toggles assignment of ALZ policies. True to deploy, otherwise false." + }, + "parAutomationAccountName": { + "type": "string", + "usedBy": "all and compliance", + "defaultValue": null, + "value": null, + "description": "Optional resource name for an existing Azure Automation account with usage enforced by ALZ policies." + }, + "parPrivateDnsResourceGroupId": { + "type": "string", + "usedBy": "all and compliance", + "defaultValue": null, + "value": null, + "description": "Optional resource ID of the Azure Resource Group that contains the Private DNS Zones with usage enforced by ALZ policies." + }, + "parMsDefenderForCloudEmailSecurityContact": { + "type": "string", + "usedBy": "all and compliance", + "defaultValue": null, + "value": null, + "description": "An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to." + }, + "parBastionOutboundSshRdpPorts": { + "type": "array", + "usedBy": "all and platform", + "defaultValue": ["22", "3389"], + "value": [], + "description": "Array of outbound destination ports and ranges for Azure Bastion." + }, + "parInvokePolicyScanSync": { + "type": "bool", + "usedBy": "all and compliance", + "defaultValue": true, + "value": null, + "description": "Toggles executing the policy scan in synchronous mode. True to run policy scan in synchronous mode, False for asynchronous. When set to false, policy remediation needs to be manually triggered once the scan is complete. Note that when policy scan is run asynchronously, there isn't a way to track its progress." + }, + "parInvokePolicyRemediationSync": { + "type": "bool", + "usedBy": "all and compliance", + "defaultValue": true, + "value": null, + "description": "Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous." + }, + "parPolicyEffect": { + "type": "string", + "usedBy": "all and compliance", + "defaultValue": "Deny", + "value": null, + "allowedValues": [ + "Audit", + "Deny", + "Disabled", + "DeployIfNotExists", + "Modify", + "Append", + "AuditIfNotExists" + ], + "description": "The policy effect used in all assignments for the Sovereignty Policy Baseline." + }, + "parDeployLogAnalyticsWorkspace": { + "type": "bool", + "usedBy": "all, platform", + "defaultValue": true, + "value": null, + "description": "True to deploy LogAnalyticsWorkspace, otherwise false." + }, + "parCustomerPolicySets": { + "type": "array of objects", + "usedBy": "all and compliance", + "defaultValue": [], + "sampleValue": [ + { + "policySetDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f", + "policySetAssignmentName": "NIST-SP-800-53-Rev.-5", + "policySetAssignmentDisplayName": "NIST 800-53 Initiative", + "policySetAssignmentDescription": "NIST 800-53 Initiative" + } + ], + "value": [], + "description": "Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false." + }, + "parTags": { + "type": "object", + "usedBy": "all, bootstrap, platform, and dashboard", + "sampleValue": { + "tag1": "value1", + "tag2": "value2" + }, + "value": null, + "defaultValue": null, + "description": "Tags that will be assigned to subscription and resources created by this deployment script." + } + } +} diff --git a/orchestration/sovereignPlatform/sovereignPlatform.bicep b/orchestration/sovereignPlatform/sovereignPlatform.bicep new file mode 100644 index 00000000..44aa7f4a --- /dev/null +++ b/orchestration/sovereignPlatform/sovereignPlatform.bicep @@ -0,0 +1,454 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. +/* + SUMMARY: This is the main file for the deployment of the management group resources. It will deploy the following resources: + - Management group resource groups + - Management group managed identity + - Management group role assignment + - Management group logging + - Management group hub networking + AUTHOR/S: Cloud for Sovereignty +*/ +targetScope = 'managementGroup' + +@description('The prefix that will be added to all resources created by this deployment.') +@minLength(2) +@maxLength(5) +param parDeploymentPrefix string + +@description('The suffix that will be added to management group suffix name the same way to be added to management group prefix names.') +@maxLength(5) +param parDeploymentSuffix string = '' + +@description('Deployment location') +@allowed([ + 'asia' + 'asiapacific' + 'australia' + 'australiacentral' + 'australiacentral2' + 'australiaeast' + 'australiasoutheast' + 'brazil' + 'brazilsouth' + 'brazilsoutheast' + 'canada' + 'canadacentral' + 'canadaeast' + 'centralindia' + 'centralus' + 'centraluseuap' + 'centralusstage' + 'eastasia' + 'eastasiastage' + 'eastus' + 'eastus2' + 'eastus2euap' + 'eastus2stage' + 'eastusstage' + 'eastusstg' + 'europe' + 'france' + 'francecentral' + 'francesouth' + 'germany' + 'germanynorth' + 'germanywestcentral' + 'global' + 'india' + 'japan' + 'japaneast' + 'japanwest' + 'jioindiacentral' + 'jioindiawest' + 'korea' + 'koreacentral' + 'koreasouth' + 'northcentralus' + 'northcentralusstage' + 'northeurope' + 'norway' + 'norwayeast' + 'norwaywest' + 'qatarcentral' + 'singapore' + 'southafrica' + 'southafricanorth' + 'southafricawest' + 'southcentralus' + 'southcentralusstage' + 'southcentralusstg' + 'southeastasia' + 'southeastasiastage' + 'southindia' + 'swedencentral' + 'switzerland' + 'switzerlandnorth' + 'switzerlandwest' + 'uae' + 'uaecentral' + 'uaenorth' + 'uk' + 'uksouth' + 'ukwest' + 'unitedstates' + 'unitedstateseuap' + 'westcentralus' + 'westeurope' + 'westindia' + 'westus' + 'westus2' + 'westus2stage' + 'westus3' + 'westusstage' +]) +param parDeploymentLocation string + +@description('Set how long logs are retained for, in days. DEFAULT: 365') +@minValue(30) +@maxValue(730) +param parLogRetentionInDays int = 365 + +@description('Subscription ID for management group.') +param parManagementSubscriptionId string + +@description('Subscription ID for identity group.') +param parIdentitySubscriptionId string + +@description('Subscription ID for connectivity group.') +param parConnectivitySubscriptionId string + +@description('Testing variable, set to false to skip deploying the hub network resources. DEFAULT: true') +param parDeployHubNetwork bool = true + +@description('Set to true to deploy Azure Bastion service, otherwise false. DEFAULT: true') +param parDeployBastion bool = true + +@description('Set to true for DDoS protection, otherwise false. DEFAULT: true') +param parDeployDdosProtection bool = true + +@description('Set to true for premium firewall, otherwise false. DEFAULT: true') +param parUsePremiumFirewall bool = true + +@description('Tags to be added to deployed resources') +param parTags object = {} + +@description('Hub network subnet. DEFAULT: 10.20.0.0/16') +param parHubNetworkAddressPrefix string = '10.20.0.0/16' + +@description('The name and IP address range for each subnet in the virtual networks.') +param parSubnets array = [ + { + name: 'AzureBastionSubnet' + ipAddressRange: '10.20.15.0/24' + } + { + name: 'GatewaySubnet' + ipAddressRange: '10.20.252.0/24' + } + { + name: 'AzureFirewallSubnet' + ipAddressRange: '10.20.254.0/24' + } +] + +@description('The SKU for the Express Route Gateway. Default: standard') +param parExpressGatewaySku string = 'standard' + +@description('Express route gateway vpn type. Default:RouteBased') +param parExpressGatewayVpntype string = 'RouteBased' + +@description('Express route gateway generation. Default:null') +param parExpressGatewayGeneration string = '' + +@description('Express route border gateway protocol. Default: false') +param parExpressGatewayEnableBgp bool = false + +@description('Create highly available active-active gateways. Default: false') +param parExpressGatewayActiveActive bool = false + +@description('Gets or sets enable BGP routes translation for NAT on this gateway. Default:false') +param parExpressGatewayEnableBgpRouteTranslationForNat bool = false + +@description('Configure DNS forwarding for gateway. Default: false') +param parExpressGatewayEnableDnsForwarding bool = false + +@description('Express Gateway ASN. Default: 65515') +param parExpressGatewayAsn int = 65515 + +@description('Bgp peer address. Default:""') +param parExpressGatewayBgpPeeringAddress string = '' + +@description('Bgp peer weight. Default:5') +param parExpressGatewayPeerWeight int = 5 + +@description('The SKU for the VPN Gateway. Default:VpnGw1') +param parVpnGatewaySku string = 'VpnGw1' + +@description('VPN type. Default: RouteBased') +param parVpnGatewayVpntype string = 'RouteBased' + +@description('VPN gateway generation. Default: Generation1') +param parVpnGatewayGeneration string = 'Generation1' + +@description('VPN gateway border gateway protocol. Default: false') +param parVpnGatewayEnableBgp bool = false + +@description('Create highly available active-active gateways. Default: false') +param parVpnGatewayActiveActive bool = false + +@description('Gets or sets enable BGP routes translation for NAT on this gateway. Default: false') +param parVpnGatewayEnableBgpRouteTranslationForNat bool = false + +@description('Configure DNS forwarding for gateway. Default: false') +param parVpnGatewayEnableDnsForwarding bool = false + +@description('VPN gateway ASN. Default: 65515') +param parVpnGatewayAsn int = 65515 + +@description('Bgp peer address. Default: ""') +param parVpnGatewayBgpPeeringAddress string = '' + +@description('Bgp peer weight. Default: 5') +param parVpnGatewayPeerWeight int = 5 + +@description('Enable Firewall. Default:True') +param parEnableFirewall bool = true + +@description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.') +param parBastionOutboundSshRdpPorts array = [ '22', '3389' ] + +@description('Testing variable, set to false to skip deploying the log analytics workspace. DEFAULT: true') +param parDeployLogAnalyticsWorkspace bool = true + +var varManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}' + +// Deploy management group resource groups +module modManagementResourceGroups '../../modules/resourceGroups/managementResourceGroups.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Management-Resource-Groups${parDeploymentSuffix}', 64) + scope: subscription(parManagementSubscriptionId) + params: { + parTags: parTags + parDeploymentLocation: parDeploymentLocation + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + } +} + +// Deploy connectivity resource groups +module modConnectivityResourceGroups '../../modules/resourceGroups/connectivityResourceGroups.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Connectivity-Resource-Groups${parDeploymentSuffix}', 64) + scope: subscription(parConnectivitySubscriptionId) + params: { + parTags: parTags + parDeploymentLocation: parDeploymentLocation + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + } +} + +// Deploy identity resource groups +module modIdentityResourceGroups '../../modules/resourceGroups/identityResourceGroups.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Identity-Resource-Groups${parDeploymentSuffix}', 64) + scope: subscription(parIdentitySubscriptionId) + params: { + parTags: parTags + parDeploymentLocation: parDeploymentLocation + parDeploymentPrefix: parDeploymentPrefix + parDeploymentSuffix: parDeploymentSuffix + } +} + +// Deploy managed identity +module modManagedIdentity '../../modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Managed-Identity${parDeploymentSuffix}', 64) + scope: resourceGroup(parIdentitySubscriptionId, '${parDeploymentPrefix}-rg-managed-identities-${parDeploymentLocation}${parDeploymentSuffix}') + params: { + parLocation: parDeploymentLocation + parName: '${parDeploymentPrefix}-managed-identity-${parDeploymentLocation}${parDeploymentSuffix}' + parTags: parTags + } + dependsOn: [ + modIdentityResourceGroups + ] +} + +// Deploy role assignments +module modRoleAssignmentManagementGroup '../../dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep' = { + name: take('${parDeploymentPrefix}-deploy-Role-Assignment-Management-Group${parDeploymentSuffix}', 64) + scope: managementGroup(varManagementGroupId) + params: { + parAssigneeObjectId: modManagedIdentity.outputs.outPrincipalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + parTelemetryOptOut: true + } + dependsOn: [ + modIdentityResourceGroups + modManagedIdentity + ] +} + +// Deploy logging resources +module modLogging '../../dependencies/infra-as-code/bicep/modules/logging/logging.bicep' = if (parDeployLogAnalyticsWorkspace) { + name: take('${parDeploymentPrefix}-deploy-Logging${parDeploymentSuffix}', 64) + scope: resourceGroup(parManagementSubscriptionId, '${parDeploymentPrefix}-rg-logging-${parDeploymentLocation}${parDeploymentSuffix}') + params: { + parAutomationAccountLocation: parDeploymentLocation + parLogAnalyticsWorkspaceLocation: parDeploymentLocation + parAutomationAccountName: '${parDeploymentPrefix}-automation-account-${parDeploymentLocation}${parDeploymentSuffix}' + parLogAnalyticsWorkspaceLogRetentionInDays: parLogRetentionInDays + parLogAnalyticsWorkspaceName: '${parDeploymentPrefix}-log-analytics-${parDeploymentLocation}${parDeploymentSuffix}' + parLogAnalyticsWorkspaceSolutions: [ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'ServiceMap' + 'SQLAssessment' + 'Updates' + 'VMInsights' + ] + parTags: parTags + parTelemetryOptOut: true + } + dependsOn: [ + modManagementResourceGroups + ] +} + +// Deploy hub networking resources +module modHubNetworking '../../dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep' = if (parDeployHubNetwork) { + name: take('${parDeploymentPrefix}-deploy-Hub-Network${parDeploymentSuffix}', 64) + scope: resourceGroup(parConnectivitySubscriptionId, '${parDeploymentPrefix}-rg-hub-network-${parDeploymentLocation}${parDeploymentSuffix}') + params: { + parAzFirewallEnabled: parEnableFirewall + parAzFirewallName: '${parDeploymentPrefix}-afw-${parDeploymentLocation}${parDeploymentSuffix}' + parAzFirewallTier: parUsePremiumFirewall ? 'Premium' : 'Standard' + parAzBastionEnabled: parDeployBastion + parAzBastionName: '${parDeploymentPrefix}-bas-${parDeploymentLocation}${parDeploymentSuffix}' + parAzBastionSku: 'Standard' + parCompanyPrefix: parDeploymentPrefix + parDdosEnabled: parDeployDdosProtection + parDdosPlanName: '${parDeploymentPrefix}-ddos-plan-${parDeploymentLocation}${parDeploymentSuffix}' + parDisableBgpRoutePropagation: false + parAzBastionNsgName: '${parDeploymentPrefix}-nsg-AzureBastionSubnet-${parDeploymentLocation}${parDeploymentSuffix}' + parDnsServerIps: [] + parExpressRouteGatewayConfig: (empty(parExpressGatewaySku) || parExpressGatewaySku == null) ? {} : { + name: '${parDeploymentPrefix}-erg-${parDeploymentLocation}${parDeploymentSuffix}' + gatewaytype: 'ExpressRoute' + sku: parExpressGatewaySku + vpntype: parExpressGatewayVpntype + vpnGatewayGeneration: parExpressGatewayGeneration + enableBgp: parExpressGatewayEnableBgp + activeActive: parExpressGatewayActiveActive + enableBgpRouteTranslationForNat: parExpressGatewayEnableBgpRouteTranslationForNat + enableDnsForwarding: parExpressGatewayEnableDnsForwarding + asn: parExpressGatewayAsn + bgpPeeringAddress: parExpressGatewayBgpPeeringAddress + bgpsettings: { + asn: parExpressGatewayAsn + bgpPeeringAddress: parExpressGatewayBgpPeeringAddress + peerWeight: parExpressGatewayPeerWeight + } + } + parHubNetworkAddressPrefix: parHubNetworkAddressPrefix + parHubNetworkName: '${parDeploymentPrefix}-hub-${parDeploymentLocation}${parDeploymentSuffix}' + parHubRouteTableName: '${parDeploymentPrefix}-rt-${parDeploymentLocation}${parDeploymentSuffix}' + parLocation: parDeploymentLocation + parAzFirewallDnsProxyEnabled: true + parPrivateDnsZones: [ + 'privatelink.azure-automation.net' + 'privatelink${environment().suffixes.sqlServerHostname}' + 'privatelink.sql.azuresynapse.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.azuresynapse.net' + 'privatelink.blob.${environment().suffixes.storage}' + 'privatelink.table.${environment().suffixes.storage}' + 'privatelink.queue.${environment().suffixes.storage}' + 'privatelink.file.${environment().suffixes.storage}' + 'privatelink.web.${environment().suffixes.storage}' + 'privatelink.dfs.${environment().suffixes.storage}' + 'privatelink.documents.azure.com' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.table.cosmos.azure.com' + 'privatelink.${parDeploymentLocation}.batch.azure.com' + 'privatelink.postgres.database.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.mariadb.database.azure.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.managedhsm.azure.net' + 'privatelink.${parDeploymentLocation}.azmk8s.io' + 'privatelink.${parDeploymentLocation}.backup.windowsazure.com' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.servicebus.windows.net' + 'privatelink.azure-devices.net' + 'privatelink.eventgrid.azure.net' + 'privatelink.azurewebsites.net' + 'privatelink.api.azureml.ms' + 'privatelink.notebooks.azure.net' + 'privatelink.service.signalr.net' + 'privatelink.monitor.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.afs.azure.net' + 'privatelink.datafactory.azure.net' + 'privatelink.adf.azure.com' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.azconfig.io' + 'privatelink.cognitiveservices.azure.com' + 'privatelink${environment().suffixes.acrLoginServer}' + 'privatelink.search.windows.net' + 'privatelink.azurehdinsight.net' + 'privatelink.media.azure.net' + 'privatelink.his.arc.azure.com' + 'privatelink.guestconfiguration.azure.com' + ] + parPrivateDnsZonesEnabled: true + parPrivateDnsZonesResourceGroup: '${parDeploymentPrefix}-rg-hub-network-${parDeploymentLocation}${parDeploymentSuffix}' + parPublicIpSku: 'Standard' + parPublicIpSuffix: '-PublicIP${parDeploymentSuffix}' + parSubnets: parSubnets + parTags: parTags + parTelemetryOptOut: true + parBastionOutboundSshRdpPorts: parBastionOutboundSshRdpPorts + parVpnGatewayConfig: (empty(parVpnGatewaySku) || parVpnGatewaySku == null) ? {} : { + name: '${parDeploymentPrefix}-vpng-${parDeploymentLocation}${parDeploymentSuffix}' + gatewaytype: 'Vpn' + sku: parVpnGatewaySku + vpntype: parVpnGatewayVpntype + generation: parVpnGatewayGeneration + enableBgp: parVpnGatewayEnableBgp + activeActive: parVpnGatewayActiveActive + enableBgpRouteTranslationForNat: parVpnGatewayEnableBgpRouteTranslationForNat + enableDnsForwarding: parVpnGatewayEnableDnsForwarding + asn: parVpnGatewayAsn + bgpPeeringAddress: parVpnGatewayBgpPeeringAddress + bgpsettings: { + asn: parVpnGatewayAsn + bgpPeeringAddress: parVpnGatewayBgpPeeringAddress + peerWeight: parVpnGatewayPeerWeight + } + } + } + dependsOn: [ + modConnectivityResourceGroups + ] +} + +output outConnectivitySubscriptionId string = parConnectivitySubscriptionId +output outDeploymentLocation string = parDeploymentLocation +output outDeploymentPrefix string = parDeploymentPrefix +output outDdosProtectionResourceId string = parDeployHubNetwork ? modHubNetworking.outputs.outDdosPlanResourceId : '' +output outLogAnalyticsWorkspaceId string = modLogging.outputs.outLogAnalyticsWorkspaceId +output outAutomationAccountName string = modLogging.outputs.outAutomationAccountName +output outPrivateDNSZones array = parDeployHubNetwork ? modHubNetworking.outputs.outPrivateDnsZones : [] +output outHubVirtualNetworkId string = parDeployHubNetwork ? modHubNetworking.outputs.outHubVirtualNetworkId : ''