From e0a57e1a868499183777f3208aeddd4476f61080 Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Wed, 22 Apr 2026 08:38:03 +0100 Subject: [PATCH 1/2] Manual private endpoint approval creates DNS record after approval --- .../Deploy-Private-DNS-Generic.json | 52 +++++++++++++------ 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json index 5697371cde..4646119830 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,22 +84,44 @@ "equals": "Microsoft.Network/privateEndpoints" }, { - "count": { - "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", - "where": { - "allOf": [ - { - "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", - "contains": "[[parameters('resourceType')]" - }, - { - "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", - "equals": "[[parameters('groupId')]" + "anyOf": [ + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "[[parameters('groupId')]" + } + ] } - ] + }, + "greaterOrEquals": 1 + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*].groupIds[*]", + "equals": "[[parameters('groupId')]" + } + ] + } + }, + "greaterOrEquals": 1 } - }, - "greaterOrEquals": 1 + ] } ] }, From 4e5b777ae2c0c1a22dfd0e48c4a048641d03722f Mon Sep 17 00:00:00 2001 From: Tim Jacomb Date: Wed, 29 Apr 2026 09:31:23 +0100 Subject: [PATCH 2/2] Run bicep build --- .../managementGroupTemplates/policyDefinitions/policies.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index f59ddea3e8..def6e72942 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.42.1.51946", - "templateHash": "11962561797361836653" + "templateHash": "11314703324456671142" } }, "parameters": { @@ -114,7 +114,7 @@ "$fxv#13": "{\n \"name\": \"Deny-AppServiceFunctionApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Function App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"functionapp*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#130": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#131": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", - "$fxv#132": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"northeurope\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#132": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"northeurope\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/manualPrivateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#133": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#134": "{\n \"name\": \"Audit-AKS-kubenet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"Detect AKS clusters using kubenet network plugin\",\n \"description\": \"Detects Azure Kubernetes Service (AKS) clusters that are configured to use the 'kubenet' network plugin that will be deprecated 31 March 2028. For more information review https://learn.microsoft.com/en-us/azure/aks/configure-kubenet\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"metadata\": {\n \"category\": \"Kubernetes\",\n \"version\": \"1.0.0\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerService/managedClusters\"\n },\n {\n \"field\": \"Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin\",\n \"equals\": \"kubenet\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#135": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n",