diff --git a/docs/07-Deployment-Parameters.md b/docs/07-Deployment-Parameters.md
index 94d05a9d..b51ebb3a 100644
--- a/docs/07-Deployment-Parameters.md
+++ b/docs/07-Deployment-Parameters.md
@@ -54,10 +54,11 @@ This section contains descriptions and accepted values for all parameters within
| 35 | parBastionOutboundSshRdpPorts | Array of outbound destination ports and ranges for Azure Bastion. | An array of values (ports)
e.g.: ["22", "3389"] | all, platform |
| 36 | parInvokePolicyScanSync | Toggles executing the policy scan in synchronous mode. True to run policy scan in synchronous mode, False for asynchronous. When set to false, policy remediation needs to be manually triggered once the scan is complete. Note that when policy scan is run asynchronously, there isn't a way to track its progress. | true; false | all, compliance |
| 37 | parInvokePolicyRemediationSync | Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous. | true; false | all, compliance |
- | 38 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Baseline policy initiatives. | Choose one: "Audit", "Deny", "Disabled" | all, compliance |
- | 39 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform |
- | 40 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.
See the SLZ parameter file for a sample configuration. | all, compliance |
- | 41 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ parameter file for a sample configuration. | all, bootstrap, platform, and dashboard |
+ | 38 | parPolicyAssignmentEnforcementMode | The enforcement mode used in all policy and initiative assignments. | Choose one: "Default", "DoNotEnforce" | all, compliance |
+ | 39 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Baseline policy initiatives. | Choose one: "Audit", "Deny", "Disabled" | all, compliance |
+ | 40 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform |
+ | 41 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.
See the SLZ parameter file for a sample configuration. | all, compliance |
+ | 42 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ parameter file for a sample configuration. | all, bootstrap, platform, and dashboard |
## Next step
diff --git a/modules/compliance/customCompliance.bicep b/modules/compliance/customCompliance.bicep
index e72ee787..3a385130 100644
--- a/modules/compliance/customCompliance.bicep
+++ b/modules/compliance/customCompliance.bicep
@@ -20,6 +20,9 @@ param parIdentityRoleAssignmentsSubs array
@description('The role definition ids for permissions.')
param parRoleDefinitionIds array
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
// Managment Groups Varaibles - Used For Policy Assignments
var varManagementGroupIDs = {
intRoot: '${parDeploymentPrefix}${parDeploymentSuffix}'
@@ -163,7 +166,7 @@ module modPolicyAssignmentGlobalCustom '../../dependencies/infra-as-code/bicep/m
parPolicyAssignmentDescription: '${varGlobalCustomPolicies.libAssignment.properties.description} ${varGlobalCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varGlobalCustomPolicies.libAssignment.properties.displayName} ${varGlobalCustomPolicies.version}'
parPolicyAssignmentName: take('${varGlobalCustomPolicies.libAssignment.name}${varGlobalCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
parPolicyAssignmentIdentityType: 'SystemAssigned'
@@ -180,7 +183,7 @@ module modPolicyAssignmentDecommissionedCustom '../../dependencies/infra-as-code
parPolicyAssignmentDescription: '${varDecommissionedCustomPolicies.libAssignment.properties.description} ${varDecommissionedCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varDecommissionedCustomPolicies.libAssignment.properties.displayName} ${varDecommissionedCustomPolicies.version}'
parPolicyAssignmentName: take('${varDecommissionedCustomPolicies.libAssignment.name}${varDecommissionedCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
parPolicyAssignmentIdentityType: 'SystemAssigned'
@@ -197,7 +200,7 @@ module modPolicyAssignmentLandingZoneCustom '../../dependencies/infra-as-code/bi
parPolicyAssignmentDescription: '${varLandingZonesPolicies.libAssignment.properties.description} ${varLandingZonesPolicies.version}'
parPolicyAssignmentDisplayName: '${varLandingZonesPolicies.libAssignment.properties.displayName} ${varLandingZonesPolicies.version}'
parPolicyAssignmentName: take('${varLandingZonesPolicies.libAssignment.name}${varLandingZonesPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
parPolicyAssignmentIdentityType: 'SystemAssigned'
@@ -214,7 +217,7 @@ module modPolicyAssignmentConfidentialCorpCustom_Confidential '../../dependencie
parPolicyAssignmentDescription: '${varConfidentialCustomPolicies.libAssignment.properties.description} ${varConfidentialCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varConfidentialCustomPolicies.libAssignment.properties.displayName} ${varConfidentialCustomPolicies.version}'
parPolicyAssignmentName: take('${varConfidentialCustomPolicies.libAssignment.name}${varConfidentialCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -233,7 +236,7 @@ module modPolicyAssignmentConfidentialCorpCustom_Corp '../../dependencies/infra-
parPolicyAssignmentDescription: '${varCorpCustomPolicies.libAssignment.properties.description} ${varCorpCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varCorpCustomPolicies.libAssignment.properties.displayName} ${varCorpCustomPolicies.version}'
parPolicyAssignmentName: take('${varCorpCustomPolicies.libAssignment.name}${varCorpCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -253,7 +256,7 @@ module modPolicyAssignmentConfidentialOnlineCustom_Confidential '../../dependenc
parPolicyAssignmentDescription: '${varConfidentialCustomPolicies.libAssignment.properties.description} ${varConfidentialCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varConfidentialCustomPolicies.libAssignment.properties.displayName} ${varConfidentialCustomPolicies.version}'
parPolicyAssignmentName: take('${varConfidentialCustomPolicies.libAssignment.name}${varConfidentialCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -273,7 +276,7 @@ module modPolicyAssignmentConfidentialOnlineCustom_Online '../../dependencies/in
parPolicyAssignmentDescription: '${varOnlineCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varOnlineCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}'
parPolicyAssignmentName: take('${varOnlineCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -293,7 +296,7 @@ module modPolicyAssignmentCorpCustom '../../dependencies/infra-as-code/bicep/mod
parPolicyAssignmentDescription: '${varCorpCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varCorpCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}'
parPolicyAssignmentName: take('${varCorpCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -313,7 +316,7 @@ module modPolicyAssignmentOnlineCustom '../../dependencies/infra-as-code/bicep/m
parPolicyAssignmentDescription: '${varOnlineCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varOnlineCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}'
parPolicyAssignmentName: take('${varOnlineCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -333,7 +336,7 @@ module modPolicyAssignmentPlatformCustom '../../dependencies/infra-as-code/bicep
parPolicyAssignmentDescription: '${varPlatformCustomPolicies.libAssignment.properties.description} ${varPlatformCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varPlatformCustomPolicies.libAssignment.properties.displayName} ${varPlatformCustomPolicies.version}'
parPolicyAssignmentName: take('${varPlatformCustomPolicies.libAssignment.name}${varPlatformCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -353,7 +356,7 @@ module modPolicyAssignmentConnectivityCustom '../../dependencies/infra-as-code/b
parPolicyAssignmentDescription: '${varConnectivityCustomPolicies.libAssignment.properties.description} ${varConnectivityCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varConnectivityCustomPolicies.libAssignment.properties.displayName} ${varConnectivityCustomPolicies.version}'
parPolicyAssignmentName: take('${varConnectivityCustomPolicies.libAssignment.name}${varConnectivityCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -373,7 +376,7 @@ module modPolicyAssignmentIdentityCustom '../../dependencies/infra-as-code/bicep
parPolicyAssignmentDescription: '${varIdentityCustomPolicies.libAssignment.properties.description} ${varIdentityCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varIdentityCustomPolicies.libAssignment.properties.displayName} ${varIdentityCustomPolicies.version}'
parPolicyAssignmentName: take('${varIdentityCustomPolicies.libAssignment.name}${varIdentityCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -393,7 +396,7 @@ module modPolicyAssignmentManagementCustom '../../dependencies/infra-as-code/bic
parPolicyAssignmentDescription: '${varManagementCustomPolicies.libAssignment.properties.description} ${varManagementCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varManagementCustomPolicies.libAssignment.properties.displayName} ${varManagementCustomPolicies.version}'
parPolicyAssignmentName: take('${varManagementCustomPolicies.libAssignment.name}${varManagementCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -413,7 +416,7 @@ module modPolicyAssignmentSandboxCustom '../../dependencies/infra-as-code/bicep/
parPolicyAssignmentDescription: '${varSandboxCustomPolicies.libAssignment.properties.description} ${varSandboxCustomPolicies.version}'
parPolicyAssignmentDisplayName: '${varSandboxCustomPolicies.libAssignment.properties.displayName} ${varSandboxCustomPolicies.version}'
parPolicyAssignmentName: take('${varSandboxCustomPolicies.libAssignment.name}${varSandboxCustomPolicies.version}', 24)
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
diff --git a/modules/compliance/customerPolicySetAssignments.bicep b/modules/compliance/customerPolicySetAssignments.bicep
index c0602ce0..e4bf05b1 100644
--- a/modules/compliance/customerPolicySetAssignments.bicep
+++ b/modules/compliance/customerPolicySetAssignments.bicep
@@ -30,6 +30,9 @@ param parPolicySetAssignmentDisplayName string
@description('descritpion for the policy set assignment')
param parPolicySetAssignmentDescription string
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
var varRootManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}'
var varRbacRoleDefinitionIds = {
owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
@@ -51,7 +54,7 @@ module modUserPolicyAssignment '../../dependencies/infra-as-code/bicep/modules/p
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
diff --git a/modules/compliance/defaultCompliance.bicep b/modules/compliance/defaultCompliance.bicep
index fa03eafb..61e7b75a 100644
--- a/modules/compliance/defaultCompliance.bicep
+++ b/modules/compliance/defaultCompliance.bicep
@@ -25,6 +25,9 @@ param parTimestamp string = utcNow()
@description('Effect type for all policy definitions')
param parPolicyEffect string = 'Deny'
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
// **Variables**
// Orchestration Module Variables
var varDeploymentNameWrappers = {
@@ -187,7 +190,7 @@ module modPolicyAssignmentSlzGlobalDefaults '../../dependencies/infra-as-code/bi
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -211,7 +214,7 @@ module modPolicyAssignmentSlzDecommissionedDefaults '../../dependencies/infra-as
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -230,7 +233,7 @@ module modPolicyAssignmentSlzLandingZoneDefaults '../../dependencies/infra-as-co
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -257,7 +260,7 @@ module modPolicyAssignmentSlzConfidentialCorpDefaults_Confidential '../../depend
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -280,7 +283,7 @@ module modPolicyAssignmentSlzConfidentialCorpDefaults_Corp '../../dependencies/i
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -307,7 +310,7 @@ module modPolicyAssignmentSlzConfidentialOnlineDefaults_Confidential '../../depe
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -331,7 +334,7 @@ module modPolicyAssignmentSlzConfidentialOnlineDefaults_Online '../../dependenci
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -355,7 +358,7 @@ module modPolicyAssignmentSlzCorpDefaults '../../dependencies/infra-as-code/bice
value: parPolicyEffect
}
}
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -379,7 +382,7 @@ module modPolicyAssignmentSlzOnlineDefaults '../../dependencies/infra-as-code/bi
value: parPolicyEffect
}
}
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -398,7 +401,7 @@ module modPolicyAssignmentSlzPlatformDefaults '../../dependencies/infra-as-code/
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.owner
]
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -414,7 +417,7 @@ module modPolicyAssignmentSlzConnectivityDefaults '../../dependencies/infra-as-c
parPolicyAssignmentDescription: '${varSlzConnectivityDefaults.libAssignment.properties.description} ${varSlzConnectivityDefaults.version}'
parPolicyAssignmentParameters: varSlzConnectivityDefaults.libAssignment.properties.parameters
parPolicyAssignmentIdentityType: 'SystemAssigned'
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parPolicyAssignmentIdentityRoleDefinitionIds: [
varRbacRoleDefinitionIds.networkContributor
]
@@ -446,7 +449,7 @@ module modPolicyAssignmentIdentityDefaults '../../dependencies/infra-as-code/bic
value: parPolicyEffect
}
}
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -470,7 +473,7 @@ module modPolicyAssignmentSlzManagementDefaults '../../dependencies/infra-as-cod
value: parPolicyEffect
}
}
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
@@ -494,7 +497,7 @@ module modPolicyAssignmentSlzSandboxDefaults '../../dependencies/infra-as-code/b
value: parPolicyEffect
}
}
- parPolicyAssignmentEnforcementMode: 'Default'
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
parTelemetryOptOut: true
}
}
diff --git a/orchestration/customCompliance/customCompliance.bicep b/orchestration/customCompliance/customCompliance.bicep
index b95b0ae7..6f62f764 100644
--- a/orchestration/customCompliance/customCompliance.bicep
+++ b/orchestration/customCompliance/customCompliance.bicep
@@ -24,6 +24,9 @@ param parRequireOwnerRolePermission bool = false
@description('Customer specified policy assignments to the root management group of SLZ. No parameters are supported as part of the assignment. DEFAULT: []')
param parCustomerPolicySets array = []
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
// RBAC Role Definitions Variables - Used For Policy Assignments
var varRBACRoleDefinitionIDs = {
owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
@@ -43,6 +46,7 @@ module modRegulatoryCompliance '../../modules/compliance/customCompliance.bicep'
parRoleDefinitionIds: [
(parRequireOwnerRolePermission ? varRBACRoleDefinitionIDs.owner : varRBACRoleDefinitionIDs.reader)
]
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
}
}
@@ -56,6 +60,7 @@ module modUserPolicyAssignment '../../modules/compliance/customerPolicySetAssign
parPolicySetAssignmentName: policy.policySetAssignmentName
parPolicySetAssignmentDisplayName: policy.policySetAssignmentDisplayName
parPolicySetAssignmentDescription: policy.policySetAssignmentDescription
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
}
dependsOn: [
modRegulatoryCompliance
diff --git a/orchestration/defaultCompliance/defaultCompliance.bicep b/orchestration/defaultCompliance/defaultCompliance.bicep
index 193f8893..056eaa9d 100644
--- a/orchestration/defaultCompliance/defaultCompliance.bicep
+++ b/orchestration/defaultCompliance/defaultCompliance.bicep
@@ -52,6 +52,9 @@ param parPrivateDnsResourceGroupId string = ''
@description('Effect type for all policy definitions')
param parPolicyEffect string = 'Deny'
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
var varPolicyAssignmentScopeName = '${parDeploymentPrefix}${parDeploymentSuffix}'
var varPolicyExemptionConfidentialOnlineManagementGroup = '${parDeploymentPrefix}-landingzones-confidential-online${parDeploymentSuffix}'
var varPolicyExemptionConfidentialCorpManagementGroup = '${parDeploymentPrefix}-landingzones-confidential-corp${parDeploymentSuffix}'
@@ -65,6 +68,7 @@ module modRegulatoryCompliance '../../modules/compliance/defaultCompliance.bicep
parAllowedLocations: parAllowedLocations
parAllowedLocationsForConfidentialComputing: parAllowedLocationsForConfidentialComputing
parPolicyEffect: parPolicyEffect
+ parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
}
}
@@ -81,7 +85,7 @@ module modAlzPolicyAssignments '../../dependencies/infra-as-code/bicep/modules/p
parMsDefenderForCloudEmailSecurityContact: parMsDefenderForCloudEmailSecurityContact
parDdosProtectionPlanId: parDdosPlanResourceId
parPrivateDnsResourceGroupId: parPrivateDnsResourceGroupId
- parDisableAlzDefaultPolicies: !parDeployAlzDefaultPolicies
+ parDisableAlzDefaultPolicies: (parPolicyAssignmentEnforcementMode == 'Default') ? false : true
}
dependsOn: [
modRegulatoryCompliance
diff --git a/orchestration/scripts/New-Compliance.ps1 b/orchestration/scripts/New-Compliance.ps1
index 8673f7bf..f15ac153 100644
--- a/orchestration/scripts/New-Compliance.ps1
+++ b/orchestration/scripts/New-Compliance.ps1
@@ -232,10 +232,11 @@ function New-CustomCompliance {
$parDeploymentLocation = $parParameters.parDeploymentLocation.value
$varCustomerPolicySets = Convert-ToArray($parParameters.parCustomerPolicySets.value)
$varParams = @{
- parDeploymentPrefix = $parDeploymentPrefix
- parDeploymentSuffix = $parDeploymentSuffix
- parRequireOwnerRolePermission = $parParameters.parRequireOwnerRolePermission.value
- parCustomerPolicySets = $varCustomerPolicySets
+ parDeploymentPrefix = $parDeploymentPrefix
+ parDeploymentSuffix = $parDeploymentSuffix
+ parRequireOwnerRolePermission = $parParameters.parRequireOwnerRolePermission.value
+ parCustomerPolicySets = $varCustomerPolicySets
+ parPolicyAssignmentEnforcementMode = $parParameters.parPolicyAssignmentEnforcementMode.value
}
$varDeploymentName = "deploy-customcompliance-$vartimeStamp"
@@ -337,6 +338,7 @@ function New-DefaultCompliance {
parLogAnalyticsWorkspaceLogRetentionInDays = ($parParameters.parLogRetentionInDays.value).ToString()
parMsDefenderForCloudEmailSecurityContact = $parParameters.parMsDefenderForCloudEmailSecurityContact.value
parPolicyEffect = $parParameters.parPolicyEffect.value
+ parPolicyAssignmentEnforcementMode = $parParameters.parPolicyAssignmentEnforcementMode.value
}
$varDeploymentName = "deploy-defaultcompliance-$vartimeStamp"
diff --git a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json
index b5daefe2..eebed5d2 100644
--- a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json
+++ b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json
@@ -489,6 +489,17 @@
"value": null,
"description": "Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous."
},
+ "parPolicyAssignmentEnforcementMode": {
+ "type": "string",
+ "usedBy": "all and compliance",
+ "defaultValue": "Default",
+ "value": null,
+ "allowedValues": [
+ "Default",
+ "DoNotEnforce"
+ ],
+ "description": "The enforcement mode used in all policy and initiative assignments."
+ },
"parPolicyEffect": {
"type": "string",
"usedBy": "all and compliance",