From d40880afdb44ca4e95e0e21b6d0af9711807e754 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 19 Mar 2023 19:28:35 +0100 Subject: [PATCH 1/3] param update for scopes --- .../Centralized-LoggingPolicyAssignment.json | 4 + .../Compliant-ApimPolicyAssignment.json | 4 + .../Compliant-AppServicePolicyAssignment.json | 4 + .../Compliant-AutomationPolicyAssignment.json | 4 + .../Compliant-BackupPolicyAssignment.json | 4 + .../Compliant-ComputePolicyAssignment.json | 4 + ...mpliant-ContainerAppsPolicyAssignment.json | 4 + ...ant-ContainerInstancePolicyAssignment.json | 4 + ...ant-ContainerRegistryPolicyAssignment.json | 4 + .../Compliant-CorpLzPolicyAssignment.json | 4 + .../Compliant-CosmosDbPolicyAssignment.json | 4 + ...ompliant-DataExplorerPolicyAssignment.json | 4 + ...Compliant-DataFactoryPolicyAssignment.json | 4 + .../Compliant-EventGridPolicyAssignment.json | 4 + .../Compliant-EventHubPolicyAssignment.json | 4 + .../Compliant-KeyVaultPolicyAssignment.json | 4 + .../Compliant-KubernetesPolicyAssignment.json | 4 + ...liant-MachineLearningPolicyAssignment.json | 4 + .../Compliant-NetworkPolicyAssignment.json | 4 + .../Compliant-OpenAiPolicyAssignment.json | 4 + ...liant-PlatformNetworkPolicyAssignment.json | 4 + .../Compliant-PostgreSQLPolicyAssignment.json | 4 + .../Compliant-SQLPolicyAssignment.json | 4 + .../Compliant-ServiceBusPolicyAssignment.json | 4 + .../Compliant-StoragePolicyAssignment.json | 4 + .../Compliant-SynapsePolicyAssignment.json | 4 + ...pliant-VirtualDesktopPolicyAssignment.json | 4 + ...ENY-AksPrivEscalationPolicyAssignment.json | 43 - .../DENY-AksPrivilegedPolicyAssignment.json | 43 - .../DENY-AksWithoutHttpsPolicyAssignment.json | 43 - ...Y-AppGwWithoutFwRulesPolicyAssignment.json | 43 - .../DENY-AppGwWithoutWAFPolicyAssignment.json | 43 - ...-DINE-APPEND-TLS-SSL-PolicyAssignment.json | 66 -- ...ENY-DatabricksClusterPolicyAssignment.json | 43 - .../DENY-DatabricksPipPolicyAssignment.json | 47 -- .../DENY-DatabricksSkuPolicyAssignment.json | 49 -- ...Y-FdWithoutManagedWafPolicyAssignment.json | 43 - .../DENY-IPForwardingPolicyAssignment.json | 38 - ...Y-OpenAiWithLocalAuthPolicyAssignment.json | 43 - .../DENY-OpenAiWithoutMiPolicyAssignment.json | 43 - .../DENY-PaaSWithoutCMK.json | 164 ---- .../DENY-PublicEndpointPolicyAssignment.json | 189 ----- .../DENY-PublicIpAddressPolicyAssignment.json | 4 + .../DENY-RDPFromInternetPolicyAssignment.json | 4 + .../DENY-RegionsPolicyAssignment.json | 6 +- .../DENY-ResourcesPolicyAssignment.json | 6 +- .../DENY-RgRegionsPolicyAssignment.json | 6 +- .../DENY-SSHFromInternetPolicyAssignment.json | 4 + ...Y-StorageWithoutHttpsPolicyAssignment.json | 43 - ...DENY-SubnetWithoutNsgPolicyAssignment.json | 4 + .../DENY-VNetPeeringPolicyAssignment.json | 4 + .../DINE-ASBPolicyAssignment.json | 4 + .../DINE-ASCConfigPolicyAssignment.json | 4 + .../DINE-ActivityLogPolicyAssignment.json | 4 + .../DINE-AksPolicyPolicyAssignment.json | 65 -- .../DINE-BudgetPolicyAssignment.json | 27 +- .../DINE-DefenderForVms.json | 4 + .../DINE-LogAnalyticsPolicyAssignment.json | 4 + .../DINE-NSGFlowLogsPolicyAssignment.json | 4 + .../DINE-PrivateDNSZonesPolicyAssignment.json | 167 ---- ...E-ResourceDiagnosticsPolicyAssignment.json | 65 -- .../DINE-SQLAuditingPolicyAssignment.json | 65 -- .../DINE-SQLEncryptionPolicyAssignment.json | 66 -- .../DINE-VMMonitoringPolicyAssignment.json | 78 -- .../DINE-VMSSMonitoringPolicyAssignment.json | 77 -- .../MODIFY-DDoSPolicyAssignment.json | 79 -- ...entralized-LoggingPolicySetDefinition.json | 14 +- ...iant-APIManagementPolicySetDefinition.json | 2 + ...pliant-AppServicesPolicySetDefinition.json | 2 + ...mpliant-AutomationPolicySetDefinition.json | 2 + .../Compliant-BackupPolicySetDefinition.json | 2 + .../Compliant-ComputePolicySetDefinition.json | 2 + ...iant-ContainerAppsPolicySetDefinition.json | 2 + ...-ContainerInstancePolicySetDefinition.json | 2 + ...-ContainerRegistryPolicySetDefinition.json | 2 + .../Compliant-CorpLzPolicySetDefinition.json | 2 + ...Compliant-CosmosDbPolicySetDefinition.json | 2 + ...liant-DataExplorerPolicySetDefinition.json | 2 + ...pliant-DataFactoryPolicySetDefinition.json | 2 + ...ompliant-EventGridPolicySetDefinition.json | 2 + ...Compliant-EventHubPolicySetDefinition.json | 2 + ...Compliant-KeyVaultPolicySetDefinition.json | 2 + ...mpliant-KubernetesPolicySetDefinition.json | 2 + ...nt-MachineLearningPolicySetDefinition.json | 2 + .../Compliant-MySQLPolicySetDefinition.json | 2 + .../Compliant-NetworkPolicySetDefinition.json | 2 + .../Compliant-OpenAiPolicySetDefinition.json | 2 + ...mpliant-PostgreSQLPolicySetDefinition.json | 2 + .../Compliant-SQLPolicySetDefinition.json | 2 + ...mpliant-ServiceBusPolicySetDefinition.json | 2 + .../Compliant-StoragePolicySetDefinition.json | 2 + .../Compliant-SynapsePolicySetDefinition.json | 2 + ...ant-VirtualDesktopPolicySetDefinition.json | 2 + ...ENY-PaaSWithoutCMKPolicySetDefinition.json | 538 ------------ ...NY-PublicEndpointsPolicySetDefinition.json | 587 ------------- ...NE-PrivateDNSZonesPolicySetDefinition.json | 448 ---------- .../policyDefinitions/dataPolicies.json | 791 ------------------ .../policyDefinitions/policies.json | 9 +- .../EXEMPT-NSGFlowLogStAcc.json | 4 + .../Custom-RBACDefinitions.json | 4 + .../referenceImplementations/fsiPortalV2.json | 1 - .../industryArmV2.json | 488 ++++++----- 102 files changed, 530 insertions(+), 4248 deletions(-) delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PaaSWithoutCMK.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PaaSWithoutCMKPolicySetDefinition.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json delete mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/dataPolicies.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Centralized-LoggingPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Centralized-LoggingPolicyAssignment.json index 2102e58d..210ff7c6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Centralized-LoggingPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Centralized-LoggingPolicyAssignment.json @@ -54,6 +54,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -71,6 +74,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').logging]", + "scope": "[parameters('scope')]", "location": "[deployment().location]", "identity": { "type": "UserAssigned", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json index 4dc42777..042dff4c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -47,6 +50,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').apim]", + "scope": "[parameters('scope')]", "location": "[deployment().location]", "identity": { "type": "UserAssigned", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json index 2a471dc4..6dfadd48 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json @@ -42,6 +42,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -59,6 +62,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').appService]", + "scope": "[parameters('scope')]", "location": "[deployment().location]", "identity": { "type": "UserAssigned", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json index 9abdecb6..046e7171 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json @@ -32,6 +32,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -50,6 +53,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').aa]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json index 4f3daa13..ee0c6629 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json @@ -22,6 +22,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -40,6 +43,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').backup]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json index 0c7c897f..e874a3b5 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json @@ -18,6 +18,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -36,6 +39,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').compute]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json index 152639e1..146aadea 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json @@ -18,6 +18,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -36,6 +39,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').con]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json index 3c6f29ee..0de03c98 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json @@ -18,6 +18,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -36,6 +39,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').con]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json index 370053c9..ad41a266 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').con]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json index 09e37a1f..d121d1c2 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json @@ -284,6 +284,9 @@ "userAssignedIdentityResourceId": { "type": "string", "defaultValue": "" + }, + "scope": { + "type": "string" } }, "variables": { @@ -302,6 +305,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').corpLz]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json index 7dabafb0..1a01e5e0 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').cosmos]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json index 0862ebf0..0a7794a0 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').ade]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json index 6dd90947..99694296 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').adf]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json index 12581e69..1d22b6a0 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json @@ -51,6 +51,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -69,6 +72,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').eg]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json index 13cbd8d4..637b446e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').eh]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json index edd6fe08..46924eaa 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json @@ -43,6 +43,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -61,6 +64,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').keyVault]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json index 80545e82..e52c9740 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json @@ -41,6 +41,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -59,6 +62,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').aks]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json index ed3e0c31..026ea6dc 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json @@ -29,6 +29,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -47,6 +50,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').ml]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json index 3c4c196d..cd554ab2 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json @@ -154,6 +154,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -172,6 +175,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').nw]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json index 4dca0ab0..775a036f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json @@ -26,6 +26,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -44,6 +47,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').openAi]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PlatformNetworkPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PlatformNetworkPolicyAssignment.json index 3c4c196d..cd554ab2 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PlatformNetworkPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PlatformNetworkPolicyAssignment.json @@ -154,6 +154,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -172,6 +175,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').nw]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json index a44edc29..800d577e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').postgre]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json index b8ec96d7..14dbe1b4 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json @@ -62,6 +62,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -80,6 +83,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').sql]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json index b2610d00..8bcfb8d4 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').sb]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json index 9588dca3..37bb994d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json @@ -70,6 +70,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -88,6 +91,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').storage]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json index 0bcbfb6f..78e3e668 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json @@ -30,6 +30,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -48,6 +51,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').synapse]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json index c8c1480b..be1d1b4d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json @@ -58,6 +58,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -76,6 +79,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').avd]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json deleted file mode 100644 index f3e13e07..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" - }, - "policyAssignmentNames": { - "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS", - "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "displayName": "Kubernetes clusters should not allow container privilege escalation" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json deleted file mode 100644 index 033f6bdc..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" - }, - "policyAssignmentNames": { - "denyAksPriv": "Deny-Privileged-AKS", - "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", - "displayName": "Kubernetes cluster should not allow privileged containers" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyAksPriv]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json deleted file mode 100644 index 90d9ea40..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d" - }, - "policyAssignmentNames": { - "denyHttpIngressAks": "Enforce-AKS-HTTPS", - "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc", - "displayName": "Kubernetes clusters should be accessible only over HTTPS" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyHttpIngressAks]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json deleted file mode 100644 index 6d6d1e9a..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyWafFwPolicy": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d" - }, - "policyAssignmentNames": { - "denyWafFwPolicy": "Deny-WAF-FW-Policy", - "description": "Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag", - "displayName": "Web Application Firewall (WAF) should enable all firewall rules for Application Gateway" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyWafFwPolicy]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyWafFwPolicy]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json deleted file mode 100644 index bbb4afb8..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyWafGwPolicy": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" - }, - "policyAssignmentNames": { - "denyWafGwPolicy": "Deny-WAF-GW-Policy", - "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.", - "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyWafGwPolicy]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyWafGwPolicy]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json deleted file mode 100644 index afad2d04..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit')]" - }, - "policyAssignmentNames": { - "deployEncryptionInTransit": "Enforce-TLS-SSL", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployEncryptionInTransit": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').deployEncryptionInTransit))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').deployEncryptionInTransit]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deployEncryptionInTransit]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": {} - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployEncryptionInTransit]", - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').deployEncryptionInTransit)]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployEncryptionInTransit), '2019-09-01', 'Full' ).identity.principalId)]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json deleted file mode 100644 index 767bfdf1..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyDatabricksCluster": "/providers/Microsoft.Authorization/policyDefinitions/51c1490f-3319-459c-bbbc-7f391bbed753" - }, - "policyAssignmentNames": { - "denyDatabricksCluster": "Deny-DataB-Cluster-Pip", - "description": "Clusters part of Azure Databricks Workspaces should have public IP disabled. Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the resource isn't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity.", - "displayName": "Clusters that are part of Azure Databricks Workspaces should disable public IP" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyDatabricksCluster]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyDatabricksCluster]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json deleted file mode 100644 index 7b1e8ec1..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - }, - "effect": { - "type": "string", - "defaultValue": "Deny" - } - }, - "variables": { - "policyDefinitions": { - "denyDatabricksPip": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2" - }, - "policyAssignmentNames": { - "denyDatabricksPip": "Deny-DataB-Pip", - "description": "Azure Databricks Workspaces should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead.", - "displayName": "Azure Databricks Workspaces should disable public network access" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyDatabricksPip]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyDatabricksPip]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "[parameters('effect')]" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json deleted file mode 100644 index 22d3ec33..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyDatabricksSku": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku')]" - }, - "policyAssignmentNames": { - "denyDatabricksSku": "Deny-DataB-Sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "displayName": "Enforces the use of Premium Databricks workspaces" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyDatabricksSku]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyDatabricksSku]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json deleted file mode 100644 index c35d8aaa..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyFdWaf": "/providers/Microsoft.Authorization/policyDefinitions/dfc212af-17ea-423a-9dcb-91e2cb2caa6b" - }, - "policyAssignmentNames": { - "denyFdWaf": "Deny-FD-WAF-Policy", - "description": "Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins.", - "displayName": "Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyFdWaf]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyFdWaf]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json deleted file mode 100644 index 7d0acb83..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900" - }, - "policyAssignmentNames": { - "denyIpForwarding": "Deny-IP-forwarding", - "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", - "displayName": "Network interfaces should disable IP forwarding" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyIpForwarding]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "enforcementMode": "[parameters('enforcementMode')]", - "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json deleted file mode 100644 index 49b2f4bd..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyOpenAiAuthPolicy": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc" - }, - "policyAssignmentNames": { - "denyOpenAiAuthPolicy": "Deny-OpenAI-Auth", - "description": "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth.", - "displayName": "Cognitive Services accounts should have local authentication methods disabled" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyOpenAiAuthPolicy]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyOpenAiAuthPolicy]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json deleted file mode 100644 index 057e2e1d..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyOpenAiMiPolicy": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418" - }, - "policyAssignmentNames": { - "denyOpenAiMiPolicy": "Deny-OpenAI-woMi", - "description": "Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials.", - "displayName": "Cognitive Services accounts should use a managed identity" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyOpenAiMiPolicy]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyOpenAiMiPolicy]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PaaSWithoutCMK.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PaaSWithoutCMK.json deleted file mode 100644 index 1eaa6922..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PaaSWithoutCMK.json +++ /dev/null @@ -1,164 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - }, - "genericNonComplianceMessages": { - "type": "string", - "metadata": { - "description": "Provide a message to be displayed when a policy is non-compliant." - }, - "defaultValue": "You are trying to deploy or modify an Azure PaaS resource without using a customer-managed key, which is not permitted. Please use a customer-managed key instead." - } - }, - "variables": { - "policyDefinitions": { - "denyPaaSwithoutCmk": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deny-Paas-Without-CMK')]" - }, - "policyAssignmentNames": { - "denyPaaSwithoutCmk": "Deny-PaaS-without-CMK", - "displayName": "Prevent usage of Azure PaaS services without customer-managed keys", - "description": "This policy initiative is a group of built-in policies that prevents deployment of Azure PaaS services without customer-managed keys." - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('policyAssignmentNames').denyPaaSwithoutCmk]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyPaaSwithoutCmk]", - "enforcementMode": "[parameters('enforcementMode')]", - "nonComplianceMessages": [ - { // General compliance message for all Azure PaaS services subject to publid endpoint posture, when updating the policy initiative and assignemnt - "message": "[parameters('genericNonComplianceMessages')]" - } - ], - "parameters": { - "azureSqlEffect": { - "value": "Deny" - }, - "aciEffect": { - "value": "Deny" - }, - "videoAnalyzerEffect": { - "value": "Deny" - }, - "azMonClusterEffect": { - "value": "Deny" - }, - "cosmosDbEffect": { - "value": "Deny" - }, - "laIseEffect": { - "value": "Deny" - }, - "iotHubEffect": { - "value": "Deny" - }, - "asrEffect": { - "value": "Deny" - }, - "iotHubDeviceEffect": { - "value": "Deny" - }, - "adfEffect": { - "value": "Deny" - }, - "botEffect": { - "value": "Deny" - }, - "aaEffect": { - "value": "Deny" - }, - "containerRegistriesEffect": { - "value": "Deny" - }, - "hdInsightsEffect": { - "value": "Deny" - }, - "loadTestingEffect": { - "value": "Deny" - }, - "cognitiveServicesEffect": { - "value": "Deny" - }, - "osDataDiskEffect": { - "value": "Deny" - }, - "cognitiveSearchEffect": { - "value": "Deny" - }, - "tableStorageEffect": { - "value": "Deny" - }, - "aksDisksEffect": { - "value": "Deny" - }, - "dataExplorerEffect": { - "value": "Deny" - }, - "dataBoxEffect": { - "value": "Deny" - }, - "streamAnEffect": { - "value": "Deny" - }, - "mediaEffect": { - "value": "Deny" - }, - "logSearchEffect": { - "value": "Deny" - }, - "appConfEffect": { - "value": "Deny" - }, - "hpcCacheEffect": { - "value": "Deny" - }, - "batchEffect": { - "value": "Deny" - }, - "sqlMiEffect": { - "value": "Deny" - }, - "storageScopeEffect": { - "value": "Deny" - }, - "mlwsEffect": { - "value": "Deny" - }, - "managedDiskEffect": { - "value": "Deny" - }, - "queueStorageEffect": { - "value": "Deny" - }, - "synapseWsEffect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json deleted file mode 100644 index 4f60a43d..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json +++ /dev/null @@ -1,189 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - }, - "genericNonComplianceMessages": { - "type": "string", - "metadata": { - "description": "Provide a message to be displayed when a policy is non-compliant." - }, - "defaultValue": "You are trying to deploy or modify an Azure PaaS resource with a public endpoint, which is not permitted. Please see the following URL for more details, and how to mitigate." - }, - "documentationUri": { - "type": "string", - "defaultValue": "https://github.com/Microsoft/industry/FSI/serviceEnablement.md", - "metadata": { - "description": "Provide a URL to the documentation that provides guidance on how to mitigate a non-compliant policy." - } - } - }, - "variables": { - "policyDefinitions": { - "denyPublicEndpoint": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints')]" - }, - "policyAssignmentNames": { - "denyPublicEndpoint": "Deny-Public-Endpoints", - "displayName": "Public network access should be disabled for PaaS services", - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints." - }, - "rbac": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "roleAssignmentNames": { - "denyPublicEndpoint": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').denyPublicEndpoint))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2020-09-01", - "name": "[variables('policyAssignmentNames').denyPublicEndpoint]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyPublicEndpoint]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": {}, - "nonComplianceMessages": [ - { // General compliance message for all Azure PaaS services subject to publid endpoint posture, when updating the policy initiative and assignemnt - "message": "[parameters('genericNonComplianceMessages')]" - }, - { - "message": "[concat('You are trying to deploy an Azure Cosmos DB resource to use a public endpoint, which is not permitted. Please see the following URL for more details and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an Azure KeyVault resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more details and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an Azure SQL Server resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more details and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an Azure Storage Account resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more details and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "StorageDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an AKS resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more details and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AKSDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an ACR resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "ACRDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an AFS resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AFSDenyPaasPublicIP" - }, - { - "message": "[concat('You are trying to deploy an Azure Postgre SQL resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP" - }, - { - "message": "[concat('You are trying to deploy a MySQL resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP" - }, - { - "message": "[concat('You are trying to deploy an Azure Batch resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "BatchDenyPublicIP" - }, - { - "message": "[concat('You are trying to deploy an Azure Cognitive Services resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "CognitiveDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy or modify an Azure Data Factory resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "DataFactoryModifyPublicIp" - }, - { - "message": "[concat('You are trying to deploy or modify an Azure File Sync resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzFileSyncModifyPublicIp" - }, - { - "message": "[concat('You are trying to deploy or modify an Azure Databricks resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzDatabricksDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy or modify an Azure IoT Hub resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzIoTHubModifyPublicIp" - }, - { - "message": "[concat('You are trying to deploy or modify an Azure Function App resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "FunctionAppDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy an Azure KeyVault HSM resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "KeyVaultHSMDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy an EventGrid Topic resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "EventGridTopicsDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy an Azure App Services resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AppServicesDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy an Azure Data Factory resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "ADFDenyPublicIp" - }, - { - "message": "[concat('You are trying to deploy an Azure Storage Sync resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "StorageSyncDenyPublicIp" - }, - { - "message": "[concat('You are trying to configure an Azure App Services resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AppServiceModifyPublicIp" - }, - { - "message": "[concat('You are trying to modify an Azure Automation account resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzAutomationModifyPublicIp" - }, - { - "message": "[concat('You are trying to modify an Azure Function resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzFunctionModifyPublicIp" - }, - { - "message": "[concat('You are trying to modify an Azure Device IoT resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzDeviceIoTModifyPublicIP" - }, - { - "message": "[concat('You are trying to modify an Azure SQL Server resource to use a public endpoint into the landing zone, which is denied by Azure Policy. Please see the following URL for more information and how to mitigate.', parameters('documentationUri'))]", - "policyDefinitionReferenceId": "AzSqlModifyPublicIp" - } - ] - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').denyPublicEndpoint]", - "dependsOn": [ - "[variables('policyAssignmentNames').denyPublicEndpoint]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", - "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').denyPublicEndpoint), '2019-09-01', 'Full' ).identity.principalId]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json index 64b68b41..d43d21ce 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json @@ -16,6 +16,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "scope": { + "type": "string" } }, "variables": { @@ -33,6 +36,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "name": "[variables('policyAssignmentNames').denyPip]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json index 34c5fcc4..337ed227 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json @@ -15,6 +15,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "scope": { + "type": "string" } }, "variables": { @@ -32,6 +35,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "name": "[variables('policyAssignmentNames').denyRdp]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json index fe66d68c..9db9d4ee 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json @@ -19,6 +19,9 @@ "listOfAllowedLocations": { "type": "array", "defaultValue": [] + }, + "scope": { + "type": "string" } }, "variables": { @@ -36,7 +39,8 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').regions]", - "location": "[deployment().location]", + "location": "[deployment().location]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-ResourcesPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-ResourcesPolicyAssignment.json index bdeb00ba..b3778e4f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-ResourcesPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-ResourcesPolicyAssignment.json @@ -13,6 +13,9 @@ "listOfResourceTypesAllowed": { "type": "array", "defaultValue": [] + }, + "scope": { + "type": "string" } }, "variables": { @@ -30,7 +33,8 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').resources]", - "location": "[deployment().location]", + "location": "[deployment().location]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json index aff027aa..b9586cba 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json @@ -13,6 +13,9 @@ "listOfAllowedLocations": { "type": "array", "defaultValue": [] + }, + "scope": { + "type": "string" } }, "variables": { @@ -30,7 +33,8 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').regions]", - "location": "[deployment().location]", + "location": "[deployment().location]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json index a443bc71..b3bf7683 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json @@ -15,6 +15,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "scope": { + "type": "string" } }, "variables": { @@ -32,6 +35,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "name": "[variables('policyAssignmentNames').denySsh]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json deleted file mode 100644 index 736cb73d..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9" - }, - "policyAssignmentNames": { - "storageHttps": "Deny-Storage-http", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", - "displayName": "Secure transfer to storage accounts should be enabled" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').storageHttps]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').storageHttps]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json index 832a6664..165a6436 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json @@ -15,6 +15,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "scope": { + "type": "string" } }, "variables": { @@ -32,6 +35,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "name": "[variables('policyAssignmentNames').denySubnetWithoutNsg]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json index 2022f7d7..b11f148d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json @@ -19,6 +19,9 @@ "microsoft.network/expressroutecrossconnections/peerings", "microsoft.network/virtualrouters/peerings" ] + }, + "scope": { + "type": "string" } }, "variables": { @@ -36,6 +39,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "name": "[variables('policyAssignmentNames').denySubnetWithoutNsg]", + "scope": "[parameters('scope')]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json index aba2d860..14334701 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json @@ -9,6 +9,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "scope": { + "type": "string" } }, "variables": { @@ -27,6 +30,7 @@ "apiVersion": "2019-09-01", "name": "[variables('policyAssignmentNames').ascMonitoring]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "SystemAssigned" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json index fdf65084..bfa4c62d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json @@ -134,6 +134,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -152,6 +155,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureSecurity]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json index a4d2dc74..8924f9ad 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -24,6 +24,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -42,6 +45,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureActivityLog]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json deleted file mode 100644 index d82c0783..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "deployAks": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7" - }, - "policyAssignmentNames": { - "deployAks": "Deploy-AKS-Policy", - "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", - "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters" - }, - "rbac": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "roleAssignmentNames": { - "deployAks": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').deployAks]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deployAks]", - "enforcementMode": "[parameters('enforcementMode')]" - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAks]", - "dependsOn": [ - "[variables('policyAssignmentNames').deployAks]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", - "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2019-09-01', 'Full' ).identity.principalId]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json index f9979d99..38ec978a 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json @@ -28,6 +28,12 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -47,11 +53,15 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').budget]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -67,19 +77,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployBudget]", - "dependsOn": [ - "[variables('policyAssignmentNames').budget]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').budget), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json index 4559b892..bf97ac94 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json @@ -12,6 +12,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -30,6 +33,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').defenderEndpoint]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json index 24bfaedb..a2618ea3 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -50,6 +50,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -68,6 +71,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').loganalytics]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json index ac918666..084fc782 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json @@ -34,6 +34,9 @@ }, "userAssignedIdentityResourceId": { "type": "string" + }, + "scope": { + "type": "string" } }, "variables": { @@ -52,6 +55,7 @@ "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployNsgFlowLogs]", "location": "[deployment().location]", + "scope": "[parameters('scope')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json deleted file mode 100644 index 858baef4..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - }, - "dnsZoneResourceGroupId": { - "type": "string", - "metadata": { - "description": "Provide the resourceId of the resource group for private DNS, which will construct the full resourceId for the private DNS zones." - } - }, - "location": { - "type": "string", - "metadata": { - "description": "Provide the location where the virtual network is created (hub)" - } - } - }, - "variables": { - "baseId": "[concat(parameters('dnsZoneResourceGroupId'), '/providers/Microsoft.Network/privateDnsZones/')]", - "policyParameterMapping": { - "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", - "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]", - "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]", - "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.io')]", - "azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.siterecovery.windowsazure.com')]", - "azureIotPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices-provisioning.net')]", - "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.net')]", - "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.net')]", - "azureAppServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurewebsites.net')]", - "azureEventGridTopicsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", - "azureDiskAccessPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", - "azureCognitiveServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cognitiveservices.azure.com')]", - "azureIotHubsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]", - "azureEventGridDomainsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", - "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.windows.net')]", - "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", - "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", - "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", - "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", - "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]" - }, - "policyDefinitions": { - "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]" - }, - "policyAssignmentNames": { - "deployPrivateDnsZones": "Deploy-Private-DNS-Zones", - "displayName": "Configure Azure PaaS services to use private DNS zones", - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones" - }, - "roleAssignmentNames": { - "deployPrivateDnsZones": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployPrivateDnsZones))]" - }, - "policyRbac": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').deployPrivateDnsZones]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deployPrivateDnsZones]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "azureFilePrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureFilePrivateDnsZoneId]" - }, - "azureWebPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureWebPrivateDnsZoneId]" - }, - "azureBatchPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureBatchPrivateDnsZoneId]" - }, - "azureAppPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureAppPrivateDnsZoneId]" - }, - "azureAsrPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureAsrPrivateDnsZoneId]" - }, - "azureIoTPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureIotPrivateDnsZoneId]" - }, - "azureKeyVaultPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureKeyVaultPrivateDnsZoneId]" - }, - "azureSignalRPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureSignalRPrivateDnsZoneId]" - }, - "azureAppServicesPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureAppServicesPrivateDnsZoneId]" - }, - "azureEventGridTopicsPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureEventGridTopicsPrivateDnsZoneId]" - }, - "azureDiskAccessPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureDiskAccessPrivateDnsZoneId]" - }, - "azureCognitiveServicesPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureCognitiveServicesPrivateDnsZoneId]" - }, - "azureIotHubsPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureIotHubsPrivateDnsZoneId]" - }, - "azureEventGridDomainsPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureEventGridDomainsPrivateDnsZoneId]" - }, - "azureRedisCachePrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureRedisCachePrivateDnsZoneId]" - }, - "azureAcrPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureAcrPrivateDnsZoneId]" - }, - "azureEventHubNamespacePrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureEventHubNamespacePrivateDnsZoneId]" - }, - "azureMachineLearningWorkspacePrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureMachineLearningWorkspacePrivateDnsZoneId]" - }, - "azureServiceBusNamespacePrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId]" - }, - "azureCognitiveSearchPrivateDnsZoneId": { - "value": "[variables('policyParameterMapping').azureCognitiveSearchPrivateDnsZoneId]" - } - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployPrivateDnsZones]", - "dependsOn": [ - "[variables('policyAssignmentNames').deployPrivateDnsZones]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[variables('policyRbac')]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployPrivateDnsZones), '2019-09-01', 'Full').identity.principalId)]" - } - } - ], - "outputs": { - "principalId": { - "type": "string", - "value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployPrivateDnsZones), '2019-09-01', 'Full').identity.principalId]" - } - } -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json deleted file mode 100644 index b59a4a4e..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a prefix to your intermediate root management group containing the policy definitions." - } - }, - "logAnalyticsResourceId": { - "type": "string", - "metadata": { - "description": "Provide the resourceId to the central Log Analytics workspace." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - }, - "userAssignedIdentityResourceId": { - "type": "string" - } - }, - "variables": { - "policyDefinitions": { - "deployResourceDiagnostics": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics')]" - }, - "policyAssignmentNames": { - "resourceDiagnostics": "Deploy-Resource-Diag", - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included", - "displayName": "Deploy Diagnostic Settings to Azure Services" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", - "name": "[variables('policyAssignmentNames').resourceDiagnostics]", - "location": "[deployment().location]", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[parameters('userAssignedIdentityResourceId')]": {} - } - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deployResourceDiagnostics]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "logAnalytics": { - "value": "[parameters('logAnalyticsResourceId')]" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json deleted file mode 100644 index 0c55fd21..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" - }, - "policyAssignmentNames": { - "deploySqlAuditing": "Deploy-SQL-DB-Auditing", - "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", - "displayName": "Auditing on SQL server should be enabled" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deploySqlAuditing": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').deploySqlAuditing]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]", - "enforcementMode": "[parameters('enforcementMode')]" - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deploySqlAuditing]", - "dependsOn": [ - "[variables('policyAssignmentNames').deploySqlAuditing]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full' ).identity.principalId]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json deleted file mode 100644 index d9a4c64b..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5" - }, - "policyAssignmentNames": { - "deploySqlEncryption": "Deploy-SQL-Threat", - "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", - "displayName": "Deploy Threat Detection on SQL servers" - - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deploySqlEncryption": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').deploySqlEncryption]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deploySqlEncryption]", - "enforcementMode": "[parameters('enforcementMode')]" - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deploySqlEncryption]", - "dependsOn": [ - "[variables('policyAssignmentNames').deploySqlEncryption]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlEncryption), '2019-09-01', 'Full' ).identity.principalId)]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json deleted file mode 100644 index 421b5bb7..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Afo." - } - }, - "logAnalyticsResourceId": { - "type": "string", - "metadata": { - "description": "Provide the resourceId to the central Log Analytics workspace" - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a" - }, - "policyAssignmentNames": { - "vmMonitoring": "Deploy-VM-Monitoring", - "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", - "displayName": "Enable Azure Monitor for VMs" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployVmMonitoring": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').vmMonitoring]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "logAnalytics_1": { - "value": "[parameters('logAnalyticsResourceId')]" - } - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployVmMonitoring]", - "dependsOn": [ - "[variables('policyAssignmentNames').vmMonitoring]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" - } - } - ], - "outputs": {} -} - \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json deleted file mode 100644 index 82cc4638..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Afo." - } - }, - "logAnalyticsResourceId": { - "type": "string", - "metadata": { - "description": "Provide the resourceId to the central Log Analytics workspace" - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad" - }, - "policyAssignmentNames": { - "vmssMonitoring": "Deploy-VMSS-Monitoring", - "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", - "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployVmssMonitoring": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').vmssMonitoring]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').vmssMonitoring]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "logAnalytics_1": { - "value": "[parameters('logAnalyticsResourceId')]" - } - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployVmssMonitoring]", - "dependsOn": [ - "[variables('policyAssignmentNames').vmssMonitoring]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json deleted file mode 100644 index 05c7e959..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, - "ddosPlanResourceId": { - "type": "string", - "metadata": { - "description": "Provide the resourceId to the DDos Standard Plan in your connectivity subscription." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "deployDoS": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d" - }, - "policyAssignmentNames": { - "deployDdoS": "Enable-DDoS-VNET", - "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", - "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard" - }, - "rbacNetworkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7", - "roleAssignmentNames": { - "deployDdoS": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployDdoS))]" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').deployDdoS]", - "location": "[deployment().location]", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').deployDoS]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "ddosPlan": { - "value": "[parameters('ddosPlanResourceId')]" - }, - "effect": { - "value": "Modify" - } - } - } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployDdoS]", - "dependsOn": [ - "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').deployDdoS)]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacNetworkContributor'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployDdoS), '2019-09-01', 'Full' ).identity.principalId)]" - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json index a613aa5f..061ef905 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json @@ -8,7 +8,7 @@ } }, "variables": { - "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/')]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", "policies": { "policyDefinitions": [] } @@ -18,6 +18,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -36,6 +37,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Centralized-Logging", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], @@ -850,7 +852,7 @@ } }, { - "policyDefinitionId": "[concat(variables('scope'), 'Dine-Diagnostics-ExpressRouteCircuit')]", + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-ExpressRouteCircuit')]", "policyDefinitionReferenceId": "Dine-Diagnostics-Er", "groupNames": [ "Logging" @@ -865,7 +867,7 @@ } }, { - "policyDefinitionId": "[concat(variables('scope'), 'Dine-Diagnostics-Vnet')]", + "policyDefinitionId": "[concat(variables('scope'),'/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-Vnet')]", "policyDefinitionReferenceId": "Dine-Diagnostics-Vnet", "groupNames": [ "Logging" @@ -880,7 +882,7 @@ } }, { - "policyDefinitionId": "[concat(variables('scope'), 'Dine-Diagnostics-TrafficManager')]", + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-TrafficManager')]", "policyDefinitionReferenceId": "Dine-Diagnostics-Tm", "groupNames": [ "Logging" @@ -895,7 +897,7 @@ } }, { - "policyDefinitionId": "[concat(variables('scope'), 'Dine-Diagnostics-LoadBalancer')]", + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-LoadBalancer')]", "policyDefinitionReferenceId": "Dine-Diagnostics-Lb", "groupNames": [ "Logging" @@ -910,7 +912,7 @@ } }, { - "policyDefinitionId": "[concat(variables('scope'), 'Dine-Diagnostics-FrontDoor')]", + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-FrontDoor')]", "policyDefinitionReferenceId": "Dine-Diagnostics-Fd", "groupNames": [ "Logging" diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json index 58c2c40a..3ad59d30 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json @@ -93,6 +93,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -111,6 +112,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-API-Management", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json index 8bbe890c..a0c03170 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json @@ -513,6 +513,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -531,6 +532,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-App-Service", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index 527b2d0d..071ae8f2 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -71,6 +71,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -89,6 +90,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Automation-Account", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json index ad6479b1..a89b5fe5 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -170,6 +170,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -188,6 +189,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Backup", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json index a2ace3dc..0840a306 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json @@ -70,6 +70,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -88,6 +89,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Compute", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json index 0f34f888..9ff2cd8a 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json @@ -20,6 +20,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -38,6 +39,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-ContainerApps", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json index 224df5a9..4cf98e26 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json @@ -18,6 +18,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -36,6 +37,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-ContainerInstance", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json index a5bcd339..9b5f71af 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json @@ -19,6 +19,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -37,6 +38,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-ContainerRegistry", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json index 3c3c78b6..0bd1f9a1 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json @@ -19,6 +19,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -37,6 +38,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Corp-Lz", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json index 739ac141..648e6549 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json @@ -181,6 +181,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -199,6 +200,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-CosmosDb", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json index 02305b55..cdaf71e6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json @@ -181,6 +181,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -199,6 +200,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Data-Explorer", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json index f806d95b..d123e600 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json @@ -181,6 +181,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -199,6 +200,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-DataFactory", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json index fc40ed98..e2db85de 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json @@ -19,6 +19,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -37,6 +38,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Event-Grid", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json index 5c1a81a4..d75c2e1c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json @@ -69,6 +69,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -87,6 +88,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Event-Hub", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json index 7d019895..f0f6940b 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json @@ -20,6 +20,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -38,6 +39,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Key-Vault", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json index 8c7fa541..9bf24512 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json @@ -113,6 +113,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -131,6 +132,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Kubernetes", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json index 25a7f103..fba97d1e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json @@ -67,6 +67,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -85,6 +86,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Machine-Learning", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json index c7a6d8ee..95b4c46b 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json @@ -67,6 +67,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -85,6 +86,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-MySQL", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index be27d247..d3646283 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -1374,6 +1374,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -1392,6 +1393,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Network", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json index 52ce5bf0..5393d024 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json @@ -252,6 +252,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -270,6 +271,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-OpenAi", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json index 559a49a9..b2df5e03 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json @@ -272,6 +272,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -290,6 +291,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-PostgreSQL", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json index f8181aaa..136ca04a 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json @@ -121,6 +121,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -139,6 +140,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Sql", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json index 6d45a07d..f09dd6fd 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json @@ -69,6 +69,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -87,6 +88,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Service-Bus", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json index 16d5246d..2181c471 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json @@ -713,6 +713,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -731,6 +732,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Storage", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json index 746ef811..9ce09603 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json @@ -63,6 +63,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -81,6 +82,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-Synapse", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json index c6056db1..af7aa6ec 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json @@ -406,6 +406,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -424,6 +425,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Compliant-AVD", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PaaSWithoutCMKPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PaaSWithoutCMKPolicySetDefinition.json deleted file mode 100644 index 74b7c8f9..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PaaSWithoutCMKPolicySetDefinition.json +++ /dev/null @@ -1,538 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "name": "Deny-Paas-Without-CMK", - "properties": { - "metadata": { - "version": "1.0.0", - "category": "Encryption" - }, - "displayName": "Prevent usage of Azure PaaS services without customer-managed keys", - "description": "This policy initiative is a group of policies that ensures Azure PaaS services are using customer-managed keys", - "policyDefinitionGroups": [ - { - "name": "Encryption", - "category": "Data Protection", - "displayName": "Ensure PaaS services are using CMK", - "description": "Policies to prevent usage of Azure PaaS services without customer-managed keys" - } - ], - "parameters": { - "azureSqlEffect": { - "type": "string" - }, - "aciEffect": { - "type": "string" - }, - "videoAnalyzerEffect": { - "type": "string" - }, - "azMonClusterEffect": { - "type": "string" - }, - "cosmosDbEffect": { - "type": "string" - }, - "laIseEffect": { - "type": "string" - }, - "iotHubEffect": { - "type": "string" - }, - "asrEffect": { - "type": "string" - }, - "iotHubDeviceEffect": { - "type": "string" - }, - "adfEffect": { - "type": "string" - }, - "botEffect": { - "type": "string" - }, - "aaEffect": { - "type": "string" - }, - "containerRegistriesEffect": { - "type": "string" - }, - "hdInsightsEffect": { - "type": "string" - }, - "loadTestingEffect": { - "type": "string" - }, - "cognitiveServicesEffect": { - "type": "string" - }, - "osDataDiskEffect": { - "type": "string" - }, - "cognitiveSearchEffect": { - "type": "string" - }, - "tableStorageEffect": { - "type": "string" - }, - "aksDisksEffect": { - "type": "string" - }, - "dataExplorerEffect": { - "type": "string" - }, - "dataBoxEffect": { - "type": "string" - }, - "streamAnEffect": { - "type": "string" - }, - "mediaEffect": { - "type": "string" - }, - "logSearchEffect": { - "type": "string" - }, - "appConfEffect": { - "type": "string" - }, - "hpcCacheEffect": { - "type": "string" - }, - "batchEffect": { - "type": "string" - }, - "sqlMiEffect": { - "type": "string" - }, - "storageScopeEffect": { - "type": "string" - }, - "mlwsEffect": { - "type": "string" - }, - "managedDiskEffect": { - "type": "string" - }, - "queueStorageEffect": { - "type": "string" - }, - "synapseWsEffect": { - "type": "string" - } - }, - "policyDefinitions": [ - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", - "policyDefinitionReferenceId": "DENY-Azure-Sql-Server-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('azureSqlEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", - "policyDefinitionReferenceId": "DENY-ACI-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('aciEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/165a4137-c3ed-4fd0-a17f-1c8a80266580", - "policyDefinitionReferenceId": "DENY-Video-Analyzer-Without-CMK","groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('videoAnalyzerEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f68a601-6e6d-4e42-babf-3f643a047ea2", - "policyDefinitionReferenceId": "DENY-Azure-Monitor-Cluster-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('azMonClusterEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", - "policyDefinitionReferenceId": "DENY-Cosmos-DB-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('cosmosDbEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5", - "policyDefinitionReferenceId": "DENY-LA-ISE-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('laIseEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d7e144b-159c-44fc-95c1-ac3dbf5e6e54", - "policyDefinitionReferenceId": "DENY-IoT-Hub-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('iotHubeffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", - "policyDefinitionReferenceId": "DENY-ASR-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('asrEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47031206-ce96-41f8-861b-6a915f3de284", - "policyDefinitionReferenceId": "DENY-IoT-Hub-Device-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('iotHubDeviceEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", - "policyDefinitionReferenceId": "DENY-ADF-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('adfEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", - "policyDefinitionReferenceId": "DENY-Bot-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('botEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", - "policyDefinitionReferenceId": "DENY-Aa-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('aaEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", - "policyDefinitionReferenceId": "DENY-Container-Registries-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('containerRegistriesEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64d314f6-6062-4780-a861-c23e8951bee5", - "policyDefinitionReferenceId": "DENY-HDi-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('hdInsightseffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65c4f833-1f2e-426c-8780-f6d7593bed7a", - "policyDefinitionReferenceId": "DENY-LT-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('loadTestingEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "policyDefinitionReferenceId": "DENY-Cognitive-Services-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('cognitiveServicesEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", - "policyDefinitionReferenceId": "DENY-OsDisk-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('osDataDiskEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", - "policyDefinitionReferenceId": "DENY-Cognitive-Search-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('cognitiveSearchEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", - "policyDefinitionReferenceId": "DENY-Table-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('tableStorageEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", - "policyDefinitionReferenceId": "DENY-AKS-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('aksDisksEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", - "policyDefinitionReferenceId": "DENY-DataExplorer-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('dataExplorerEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", - "policyDefinitionReferenceId": "DENY-DataBox-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('dataBoxEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", - "policyDefinitionReferenceId": "DENY-StreamAn-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('streamAnEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9285c3de-d5fd-4225-86d4-027894b0c442", - "policyDefinitionReferenceId": "DENY-Media-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('mediaEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94c1f94d-33b0-4062-bd04-1cdc3e7eece2", - "policyDefinitionReferenceId": "DENY-LogSearch-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('logSearchEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1", - "policyDefinitionReferenceId": "DENY-AppConf-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('appConfEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb", - "policyDefinitionReferenceId": "DENY-HPCcache-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('hpcCacheEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", - "policyDefinitionReferenceId": "DENY-Batch-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('batchEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", - "policyDefinitionReferenceId": "DENY-SQLMi-Without-CMK", - "parameters": { - "effect": { - "value": "[[parameters('sqlMiEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", - "policyDefinitionReferenceId": "DENY-StorageScope-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageScopeEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", - "policyDefinitionReferenceId": "DENY-MLWS-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('mlWsEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", - "policyDefinitionReferenceId": "DENY-MangedDisk-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('managedDiskEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", - "policyDefinitionReferenceId": "DENY-QueueStorage-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('queueStorageEffect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", - "policyDefinitionReferenceId": "DENY-SynapseWs-Without-CMK", - "groupNames": [ - "Encryption" - ], - "parameters": { - "effect": { - "value": "[[parameters('synapseWsEffect')]" - } - } - } - ] - } - } - ] -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json deleted file mode 100644 index 6a986a10..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json +++ /dev/null @@ -1,587 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policySetDefinitions", - "name": "Deny-PublicPaaSEndpoints", - "apiVersion": "2020-09-01", - "properties": { - "Description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", - "DisplayName": "Public network access should be disabled for PaaS services", - "Parameters": { - "CosmosPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for CosmosDB", - "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "KeyVaultPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for KeyVault", - "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "SqlServerPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure SQL Database should be disabled", - "description": "This policy denies creation of Sql servers with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "StoragePublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access onStorage accounts should be disabled", - "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AKSPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on AKS API should be disabled", - "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "ACRPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure Container Registry disabled", - "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AFSPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure File Sync disabled", - "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "PostgreSQLFlexPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for PostgreSql Flexible Server", - "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "MySQLFlexPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for MySQL Flexible Server", - "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "BatchPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Batch Instances", - "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "CognitiveServicesPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Cognitive Services Instances", - "description": "This policy denies creation of Azure Cognitive Services Instances with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "DataFactoryPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Data Factory", - "description": "This policy modifies creation of Azure Data Factory Instances with exposed public endpoints" - }, - "allowedValues": [ - "Modify", - "Disabled" - ], - "defaultValue": "Modify" - }, - "AzFileSyncPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure File Sync", - "description": "This policy modifies Azure File Sync creation with exposed public endpoints" - }, - "allowedValues": [ - "Modify", - "Disabled" - ], - "defaultValue": "Modify" - }, - "AzDatabricksPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Databricks", - "description": "This policy modifies Azure Databricks creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AzIoTHubPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure IoT Hub", - "description": "This policy modifies Azure IoT Hub creation with exposed public endpoints" - }, - "allowedValues": [ - "Modify", - "Disabled" - ], - "defaultValue": "Modify" - }, - "FunctionAppPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Function App", - "description": "This policy modifies Azure Function App creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "KeyVaultHSMPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Key Vault HSM", - "description": "This policy denies Azure KeyVault HSM creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "EventGridTopicsPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Event Grid Topics", - "description": "This policy denies Event Grid Topics creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "AppServicesPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for App Services", - "description": "This policy denies App Services Topics creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "ADFPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for ADF", - "description": "This policy denies ADF creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "StorageSyncPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Storage Sync Services", - "description": "This policy denies Storage Sync service creation with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "AppServicePublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be Modified for App Services", - "description": "This policy modifies App Service creation with exposed public endpoints" - }, - "allowedValues": [ - "Disabled", - "Modify" - ], - "defaultValue": "Modify" - }, - "AzAutomationPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be Modified for Azure Automation", - "description": "This policy modifies Azure Automation creation with exposed public endpoints" - }, - "allowedValues": [ - "Disabled", - "Modify" - ], - "defaultValue": "Modify" - }, - "AzFunctionPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be Modified for Azure Function", - "description": "This policy modifies Azure Function creation with exposed public endpoints" - }, - "allowedValues": [ - "Disabled", - "Modify" - ], - "defaultValue": "Modify" - }, - "AzDeviceIoTPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be Modified for Azure Device Updates for IoT", - "description": "This policy modifies Azure Device Updates for IoT creation with exposed public endpoints" - }, - "allowedValues": [ - "Disabled", - "Modify" - ], - "defaultValue": "Modify" - }, - "AzSqlPublicIpModifyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be Modified for Azure Sql Server", - "description": "This policy modifies Azure SQL Server creation with exposed public endpoints" - }, - "allowedValues": [ - "Disabled", - "Modify" - ], - "defaultValue": "Modify" - } - }, - "PolicyDefinitionGroups": null, - "PolicyDefinitions": [ - { - "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", - "parameters": { - "effect": { - "value": "[[parameters('CosmosPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", - "parameters": { - "effect": { - "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", - "parameters": { - "effect": { - "value": "[[parameters('SqlServerPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", - "parameters": { - "effect": { - "value": "[[parameters('StoragePublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", - "parameters": { - "effect": { - "value": "[[parameters('AKSPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", - "parameters": { - "effect": { - "value": "[[parameters('ACRPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "parameters": { - "effect": { - "value": "[[parameters('AFSPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", - "parameters": { - "effect": { - "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "BatchDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", - "parameters": { - "effect": { - "value": "[[parameters('BatchPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "CognitiveDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", - "parameters": { - "effect": { - "value": "[[parameters('CognitiveServicesPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "DataFactoryModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", - "parameters": { - "effect": { - "value": "[[parameters('DataFactoryPublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzFileSyncModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", - "parameters": { - "effect": { - "value": "[[parameters('AzFileSyncPublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzDatabricksDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2", - "parameters": { - "effect": { - "value": "[[parameters('AzDatabricksPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzIoTHubModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/114eec6e-5e59-4bad-999d-6eceeb39d582", - "parameters": { - "effect": { - "value": "[[parameters('AzIoTHubPublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "FunctionAppDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", - "parameters": { - "effect": { - "value": "[[parameters('FunctionAppPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "KeyVaultHSMDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", - "parameters": { - "effect": { - "value": "[[parameters('KeyVaultHSMPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "EventGridTopicsDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", - "parameters": { - "effect": { - "value": "[[parameters('EventGridTopicsPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AppServicesDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", - "parameters": { - "effect": { - "value": "[[parameters('AppServicesPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "ADFDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", - "parameters": { - "effect": { - "value": "[[parameters('ADFPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "StorageSyncDenyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "parameters": { - "effect": { - "value": "[[parameters('StorageSyncPublicIpDenyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AppServiceModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", - "parameters": { - "effect": { - "value": "[[parameters('AppServicePublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzAutomationModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", - "parameters": { - "effect": { - "value": "[[parameters('AzAutomationPublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzFunctionModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", - "parameters": { - "effect": { - "value": "[[parameters('AzFunctionPublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzDeviceIoTModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/27573ebe-7ef3-4472-a8e1-33aef9ea65c5", - "parameters": { - "effect": { - "value": "[[parameters('AzDeviceIoTPublicIpModifyEffect')]" - } - } - }, - { - "policyDefinitionReferenceId": "AzSqlModifyPublicIp", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", - "parameters": { - "effect": { - "value": "[[parameters('AzSqlPublicIpModifyEffect')]" - } - } - } - ] - } - } - ], - "outputs": {} -} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json deleted file mode 100644 index abc6fb2f..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json +++ /dev/null @@ -1,448 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2019-09-01", - "name": "Deploy-Private-DNS-Zones", - "properties": { - "metadata": { - "version": "1.0.0", - "category": "Network" - }, - "displayName": "Configure Azure PaaS services to use private DNS zones", - "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", - "parameters": { - "azureFilePrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureFilePrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureWebPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureWebPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureBatchPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureBatchPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureAppPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureAppPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureAsrPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureAsrPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureIotPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureIotPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureKeyVaultPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureKeyVaultPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureSignalRPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureSignalRPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureAppServicesPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureAppServicesPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureEventGridTopicsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureEventGridTopicsPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureDiskAccessPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureDiskAccessPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureCognitiveServicesPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureCognitiveServicesPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureIotHubsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureIotHubsPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureEventGridDomainsPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureEventGridDomainsPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureRedisCachePrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureRedisCachePrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureAcrPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureAcrPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureEventHubNamespacePrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureEventHubNamespacePrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureMachineLearningWorkspacePrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureServiceBusNamespacePrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureServiceBusNamespacePrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "azureCognitiveSearchPrivateDnsZoneId": { - "type": "string", - "metadata": { - "displayName": "azureCognitiveSearchPrivateDnsZoneId", - "strongType": "Microsoft.Network/privateDnsZones", - "description": "Private DNS Zone Identifier" - } - }, - "effect": { - "type": "string", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists" - }, - "effect1": { - "type": "string", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "deployIfNotExists", - "Disabled" - ], - "defaultValue": "deployIfNotExists" - } - }, - "policyDefinitions": [ - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureFileprivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureWebPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureBatchPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureAppPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureAsrPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureIotPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect1')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect1')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect1')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureAcrPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", - "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('effect')]" - } - } - } - ] - } - } - ] -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/dataPolicies.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/dataPolicies.json deleted file mode 100644 index 4632eace..00000000 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/dataPolicies.json +++ /dev/null @@ -1,791 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "String", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } - } - }, - "variables": { - "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - "policies": { - "policyDefinitions": [ - { - "properties": { - "displayName": "Control private endpoint connections to Azure Machine Learning", - "mode": "Indexed", - "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status", - "equals": "Approved" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id", - "exists": false - }, - { - "value": "[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]", - "notEquals": "[[subscription().subscriptionId]" - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Audit-MachineLearning-PrivateEndpointId" - }, - { - "properties": { - "displayName": "Enforces high business impact Azure Machine Learning Workspaces", - "mode": "Indexed", - "description": "Enforces high business impact Azure Machine Learning workspaces.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", - "exists": false - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", - "notEquals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-HbiWorkspace" - }, - { - "properties": { - "displayName": "Deny public acces behind vnet to Azure Machine Learning workspace", - "mode": "Indexed", - "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", - "exists": false - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", - "notEquals": false - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet" - }, - { - "properties": { - "displayName": "Deny AKS cluster creation in Azure Machine Learning", - "mode": "Indexed", - "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "equals": "AKS" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-Aks" - }, - { - "properties": { - "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", - "mode": "Indexed", - "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "in": [ - "AmlCompute", - "ComputeInstance" - ] - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-Compute-SubnetId" - }, - { - "properties": { - "displayName": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", - "mode": "Indexed", - "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", - "metadata": { - "version": "1.0.0", - "category": "Budget" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "allowedVmSizes": { - "type": "Array", - "metadata": { - "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", - "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" - }, - "defaultValue": [ - "Standard_D1_v2", - "Standard_D2_v2", - "Standard_D3_v2", - "Standard_D4_v2", - "Standard_D11_v2", - "Standard_D12_v2", - "Standard_D13_v2", - "Standard_D14_v2", - "Standard_DS1_v2", - "Standard_DS2_v2", - "Standard_DS3_v2", - "Standard_DS4_v2", - "Standard_DS5_v2", - "Standard_DS11_v2", - "Standard_DS12_v2", - "Standard_DS13_v2", - "Standard_DS14_v2", - "Standard_M8-2ms", - "Standard_M8-4ms", - "Standard_M8ms", - "Standard_M16-4ms", - "Standard_M16-8ms", - "Standard_M16ms", - "Standard_M32-8ms", - "Standard_M32-16ms", - "Standard_M32ls", - "Standard_M32ms", - "Standard_M32ts", - "Standard_M64-16ms", - "Standard_M64-32ms", - "Standard_M64ls", - "Standard_M64ms", - "Standard_M64s", - "Standard_M128-32ms", - "Standard_M128-64ms", - "Standard_M128ms", - "Standard_M128s", - "Standard_M64", - "Standard_M64m", - "Standard_M128", - "Standard_M128m", - "Standard_D1", - "Standard_D2", - "Standard_D3", - "Standard_D4", - "Standard_D11", - "Standard_D12", - "Standard_D13", - "Standard_D14", - "Standard_DS15_v2", - "Standard_NV6", - "Standard_NV12", - "Standard_NV24", - "Standard_F2s_v2", - "Standard_F4s_v2", - "Standard_F8s_v2", - "Standard_F16s_v2", - "Standard_F32s_v2", - "Standard_F64s_v2", - "Standard_F72s_v2", - "Standard_NC6s_v3", - "Standard_NC12s_v3", - "Standard_NC24rs_v3", - "Standard_NC24s_v3", - "Standard_NC6", - "Standard_NC12", - "Standard_NC24", - "Standard_NC24r", - "Standard_ND6s", - "Standard_ND12s", - "Standard_ND24rs", - "Standard_ND24s", - "Standard_NC6s_v2", - "Standard_NC12s_v2", - "Standard_NC24rs_v2", - "Standard_NC24s_v2", - "Standard_ND40rs_v2", - "Standard_NV12s_v3", - "Standard_NV24s_v3", - "Standard_NV48s_v3" - ] - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "in": [ - "AmlCompute", - "ComputeInstance" - ] - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", - "notIn": "[[parameters('allowedVmSizes')]" - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-Compute-VmSize" - }, - { - "properties": { - "displayName": "Deny public access of Azure Machine Learning clusters via SSH", - "mode": "All", - "description": "Deny public access of Azure Machine Learning clusters via SSH.", - "metadata": { - "version": "1.1.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "equals": "AmlCompute" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", - "exists": false - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", - "notEquals": "Disabled" - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess" - }, - { - "properties": { - "displayName": "Enforce scale settings for Azure Machine Learning compute clusters", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforce scale settings for Azure Machine Learning compute clusters.", - "metadata": { - "version": "1.0.0", - "category": "Budget" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "maxNodeCount": { - "type": "Integer", - "metadata": { - "displayName": "Maximum Node Count", - "description": "Specifies the maximum node count of AML Clusters" - }, - "defaultValue": 10 - }, - "minNodeCount": { - "type": "Integer", - "metadata": { - "displayName": "Minimum Node Count", - "description": "Specifies the minimum node count of AML Clusters" - }, - "defaultValue": 0 - }, - "maxNodeIdleTimeInSecondsBeforeScaleDown": { - "type": "Integer", - "metadata": { - "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", - "description": "Specifies the maximum node idle time in seconds before scaledown" - }, - "defaultValue": 900 - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "equals": "AmlCompute" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", - "greater": "[[parameters('maxNodeCount')]" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", - "greater": "[[parameters('minNodeCount')]" - }, - { - "value": "[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", - "greater": "[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-ComputeCluster-Scale" - }, - { - "properties": { - "displayName": "Azure Machine Learning should have disabled public network access", - "policyType": "Custom", - "mode": "Indexed", - "description": "Denies public network access for Azure Machine Learning workspaces.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess", - "notEquals": "Disabled" - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-PublicNetworkAccess" - }, - { - "properties": { - "displayName": "Deny public IPs for Databricks cluster", - "policyType": "Custom", - "mode": "Indexed", - "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", - "metadata": { - "version": "1.0.0", - "category": "Databricks" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Databricks/workspaces" - }, - { - "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", - "notEquals": true - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-Databricks-NoPublicIp" - }, - { - "properties": { - "displayName": "Deny non-premium Databricks sku", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "metadata": { - "version": "1.0.0", - "category": "Databricks" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Databricks/workspaces" - }, - { - "field": "Microsoft.DataBricks/workspaces/sku.name", - "notEquals": "premium" - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-Databricks-Sku" - }, - { - "properties": { - "displayName": "Deny Databricks workspaces without Vnet injection", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforces the use of vnet injection for Databricks workspaces.", - "metadata": { - "version": "1.0.0", - "category": "Databricks" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Databricks/workspaces" - }, - { - "anyOf": [ - { - "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", - "exists": false - }, - { - "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", - "exists": false - }, - { - "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", - "exists": false - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-Databricks-VirtualNetwork" - } - ] - }, - "initiatives": { - "policySetDefinitions": [] - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "name": "[variables('policies').policyDefinitions[copyIndex()].name]", - "apiVersion": "2019-09-01", - "copy": { - "name": "policyDefinitionCopy", - "count": "[length(variables('policies').policyDefinitions)]" - }, - "properties": { - "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", - "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", - "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", - "policyType": "Custom", - "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", - "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", - "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" - } - } - ] -} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json index b5ca4f2b..7734f081 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json @@ -3,12 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "topLevelManagementGroupPrefix": { - "type": "String", - "defaultValue": "FSIDemo", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." - } + "type": "string" } }, "variables": { @@ -12050,6 +12045,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policies').policyDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "copy": { "name": "policyDefinitionCopy", "count": "[length(variables('policies').policyDefinitions)]" @@ -12068,6 +12064,7 @@ "type": "Microsoft.Authorization/policySetDefinitions", "name": "[variables('initiatives').policySetDefinitions[copyIndex()].name]", "apiVersion": "2019-09-01", + "scope": "[variables('scope')]", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyExemptions/EXEMPT-NSGFlowLogStAcc.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyExemptions/EXEMPT-NSGFlowLogStAcc.json index 2dace072..af9c7398 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyExemptions/EXEMPT-NSGFlowLogStAcc.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyExemptions/EXEMPT-NSGFlowLogStAcc.json @@ -13,6 +13,9 @@ "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect", "storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect" ] + }, + "scope": { + "type": "string" } }, "variables": { @@ -26,6 +29,7 @@ "type": "Microsoft.Authorization/policyExemptions", "apiVersion": "2022-07-01-preview", "name": "[variables('policyExemptionResourceName')]", + "scope": "[parameters('scope')]", "properties": { "policyAssignmentId": "[variables('policyAssignmentId')]", "policyDefinitionReferenceIds": "[parameters('policyDefinitionReferenceIds')]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json index 2b022454..be0560b7 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json @@ -5,6 +5,9 @@ "topLevelManagementGroupPrefix": { "type": "string", "defaultValue": "" + }, + "scope": { + "type": "string" } }, "variables": { @@ -105,6 +108,7 @@ "type": "Microsoft.Authorization/roleDefinitions", "name": "[guid(tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix')), variables('roles').roleDefinitions[copyIndex()].properties.roleName)]", "apiVersion": "2018-01-01-preview", + "scope": "[parameters('scope')]", "copy": { "name": "roleDefinitionCopy", "count": "[length(variables('roles').roleDefinitions)]" diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 0f49e005..ff892d74 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -2960,7 +2960,6 @@ }, "outputs": { "parameters": { - "industry": "fsi", "subnetMaskForGw": "[steps('esConnectivityGoalState').esAddressVpnOrEr]", "subnetMaskForAzFw": "[steps('esConnectivityGoalState').esAddressFw]", "enableErGw": "[steps('esConnectivityGoalState').esErGw]", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 1e655d08..f050c392 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -2,16 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "industry": { - "type": "string", - "allowedValues": [ - "fsi", - "telco" - ], - "metadata": { - "description": "Azure Portal UX to determine which industry cloud foundation to be deployed" - } - }, "industryPrefix": { "type": "string", "maxLength": 10, @@ -716,30 +706,13 @@ "ascConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json')]", "defenderEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json')]", "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", - "azPolicyForKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", - "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", - "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", - "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", - "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", - "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", - "publicEndpointPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPublicEndpointArmTemplate'))]", - "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", - "privateDnsZonePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPrivateDnsArmTemplate'))]", - "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json')]", "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", "rdpFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json')]", - "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", - "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", - "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", - "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vnetPeering.json')]", "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vnetPeeringVwan.json')]", "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'core/resourceGroupTemplates/privateDnsZones.json')]", "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/roleAssignments/roleAssignment.json')]", - "databricksSku": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json')]", - "databricksPip": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json')]", - "databricksCluster": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json')]", "govAscPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/gov/fairfaxDINE-ASCConfigPolicyAssignment.json')]", "logStorageAccount": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logStorageAccount.json')]", "nwDeployment": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/networkWatcher.json')]", @@ -748,159 +721,150 @@ "sshFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json')]", "denyVnetPeeringPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json')]", "budgetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json')]", - "appGwWithoutWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json')]", - "appGwWithouthFwPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json')]", - "wafWithoutFdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-WafWithoutFrontDoorEntryPointPolicyAssignment.json')]", - "fdWithoutWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json')]", - "openAiLocalAuthPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json')]", - "openAiMiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json')]", // Telco industry "erHaPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'telco/managementGroupTemplates/policyAssignments/DENY-non-ha-expressRoutes-policyAssignment.json')]", "pipHaPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'telco/managementGroupTemplates/policyAssignments/DENY-non-ha-publicIps-policyAssignment.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, guid(parameters('industryPrefix')))]", + "industry": "fsi", "deploymentNames": { - "mgmtGroupDeploymentName": "[take(concat(parameters('industry'), '-Mgs', variables('deploymentSuffix')), 64)]", - "policyRpRegDeploymentName": "[take(concat(parameters('industry'), '-PolicyInsights', variables('deploymentSuffix')), 64)]", - "customRbacDeploymentName": "[take(concat(parameters('industry'), '-RoleDefinitions', variables('deploymentSuffix')), 64)]", - "allowedRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-Regions', variables('deploymentSuffix')), 64)]", - "allowedRgRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-RG-Regions', variables('deploymentSuffix')), 64)]", - "allowedResourcesDeploymentName": "[take(concat(parameters('industry'), '-Azure-Resources', variables('deploymentSuffix')), 64)]", - "centralizedLoggingDeploymentName": "[take(concat(parameters('industry'), '-Centralized-Logs', variables('deploymentSuffix')), 64)]", - "compliantCorpLzDeploymentName": "[take(concat(parameters('industry'), '-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", - "compliantApimDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Apim', variables('deploymentSuffix')), 64)]", - "compliantAppServiceDeploymentName": "[take(concat(parameters('industry'), '-Compliant-AppService', variables('deploymentSuffix')), 64)]", - "compliantAutomationDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Automation', variables('deploymentSuffix')), 64)]", - "compliantBackupDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Backup', variables('deploymentSuffix')), 64)]", - "compliantComputeDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Compute', variables('deploymentSuffix')), 64)]", - "compliantContainerAppsDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", - "compliantContainerInstanceDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", - "compliantContainerRegistryDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", - "compliantCosmosDbDeploymentName": "[take(concat(parameters('industry'), '-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", - "compliantDataExplorerDeploymentName": "[take(concat(parameters('industry'), '-Compliant-DataExplorer', variables('deploymentSuffix')), 64)]", - "compliantDataFactoryDeploymentName": "[take(concat(parameters('industry'), '-Compliant-DataFactory', variables('deploymentSuffix')), 64)]", - "compliantEventGridDeploymentName": "[take(concat(parameters('industry'), '-Compliant-EventGrid', variables('deploymentSuffix')), 64)]", - "compliantEventHubDeploymentName": "[take(concat(parameters('industry'), '-Compliant-EventHub', variables('deploymentSuffix')), 64)]", - "compliantKeyVaultDeploymentName": "[take(concat(parameters('industry'), '-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", - "compliantKubernetesDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", - "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), '-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", - "compliantNetworkDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Network', variables('deploymentSuffix')), 64)]", - "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), '-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", - "compliantPostgreDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Postgre', variables('deploymentSuffix')), 64)]", - "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", - "compliantSqlDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Sql', variables('deploymentSuffix')), 64)]", - "compliantStorageDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Storage', variables('deploymentSuffix')), 64)]", - "compliantSynapseDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Synapse', variables('deploymentSuffix')), 64)]", - "compliantVirtualDesktopDeploymentName": "[take(concat(parameters('industry'), '-Compliant-AVD', variables('deploymentSuffix')), 64)]", - "mgmtSubscriptionPlacement": "[take(concat(parameters('industry'), '-MgmtSub', variables('deploymentSuffix')), 64)]", - "policyIdentityDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentity', variables('deploymentSuffix')), 64)]", - "policyIdentityRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityRoleAssignment', variables('deploymentSuffix')), 64)]", - "databricksSkuDeploymentName": "[take(concat(parameters('industry'), '-DBSku', variables('deploymentSuffix')), 64)]", - "databricksPipDeploymentName": "[take(concat(parameters('industry'), '-DBPip', variables('deploymentSuffix')), 64)]", - "databricksClusterDeploymentName": "[take(concat(parameters('industry'), '-DBCluster', variables('deploymentSuffix')), 64)]", - "corpPeeringDeploymentName": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 60)]", - "connectivitySubscriptionPlacement": "[take(concat(parameters('industry'), '-ConnectivitySub', variables('deploymentSuffix')), 64)]", - "ingressSubscriptionPlacement": "[take(concat(parameters('industry'), '-IngressSub', variables('deploymentSuffix')), 64)]", - "egressSubscriptionPlacement": "[take(concat(parameters('industry'), '-EgressSub', variables('deploymentSuffix')), 64)]", - "identitySubscriptionPlacement": "[take(concat(parameters('industry'), '-IdentitySub', variables('deploymentSuffix')), 64)]", - "policyDeploymentName": "[take(concat(parameters('industry'), '-Policy', variables('deploymentSuffix')), 64)]", - "dataPolicyDeploymentName": "[take(concat(parameters('industry'),'-Data-Policy', variables('deploymentSuffix')), 64)]", - "ddosRgDeploymentName": "[take(concat(parameters('industry'), '-DDoSRg', variables('deploymentSuffix')), 64)]", - "ddosDeploymentName": "[take(concat(parameters('industry'), '-DDoS', variables('deploymentSuffix')), 64)]", - "ddosHubPolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", - "cmkPolicyDeploymentName": "[take(concat(parameters('industry'), '-CMKPolicy', variables('deploymentSuffix')), 64)]", - "cmkPolicyAssignmentDeploymentName": "[take(concat(parameters('industry'), '-CMKPolicyAssignment', variables('deploymentSuffix')), 64)]", - "ddosLzPolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", - "monitoringDeploymentName": "[take(concat(parameters('industry'), '-Monitoring', variables('deploymentSuffix')), 64)]", - "logAnalyticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-LAPolicy', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsDeploymentName": "[take(concat(parameters('industry'), '-Solutions', variables('deploymentSuffix')), 64)]", - "asbPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASB', variables('deploymentSuffix')), 64)]", - "resourceDiagnosticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", - "activityDiagnosticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", - "ascPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASC', variables('deploymentSuffix')), 64)]", - "ascGovPolicyDeploymentName": "[take(concat(parameters('industry'), '-Gov-ASC', variables('deploymentSuffix')), 64)]", - "vnetConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-HubSpoke', variables('deploymentSuffix')), 64)]", - "ingressDeploymentName": "[take(concat(parameters('industry'), '-Ingress', variables('deploymentSuffix')), 64)]", - "egressDeploymentName": "[take(concat(parameters('industry'), '-Egress', variables('deploymentSuffix')), 64)]", - "vwanConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-VWanHub', variables('deploymentSuffix')), 64)]", - "nvaConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-NVAHub', variables('deploymentSuffix')), 64)]", - "azVmMonitorPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzVmMonitor', variables('deploymentSuffix')), 64)]", - "defenderEndpointPolicyDeploymentName": "[take(concat(parameters('industry'), '-DefenderEndpoint', variables('deploymentSuffix')), 64)]", - "azVmssMonitorPolicyDeploymentName": "[take(concat(parameters('industry'),'-AzVmssMonitor', variables('deploymentSuffix')), 64)]", - "azBackupLzPolicyDeploymentName": "[take(concat(parameters('industry'),'-AzBackupLz', variables('deploymentSuffix')), 64)]", - "azBackupIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzBackupIdentity', variables('deploymentSuffix')), 64)]", - "azPolicyForAksPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPolicy', variables('deploymentSuffix')), 64)]", - "aksPrivEscalationPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPrivEsc', variables('deploymentSuffix')), 64)]", - "aksHttpsPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksHttps', variables('deploymentSuffix')), 64)]", - "aksPrivilegedPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPrivileged', variables('deploymentSuffix')), 64)]", - "tlsSslPolicyDeploymentName": "[take(concat(parameters('industry'), '-TLSSSL', variables('deploymentSuffix')), 64)]", - "ipFwPolicyDeploymentName": "[take(concat(parameters('industry'), '-IPFwd', variables('deploymentSuffix')), 64)]", - "publicEndpointPolicyDeploymentName": "[take(concat(parameters('industry'), '-PEndpoint', variables('deploymentSuffix')), 64)]", - "publicEndpointPolicyDefinitionName": "[take(concat(parameters('industry'), '-Policy-PEndpoints', variables('deploymentSuffix')), 64)]", - "privateDnsPolicyDefinitionName": "[take(concat(parameters('industry'), '-Policy-PrivateDns', variables('deploymentSuffix')), 64)]", - "privateDnsPolicyDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", - "pipPolicyDeploymentName": "[take(concat(parameters('industry'), '-PIP', variables('deploymentSuffix')), 64)]", - "rdpFromInternetPolicyDeploymentName": "[take(concat(parameters('industry'), '-RDP', variables('deploymentSuffix')), 64)]", - "sshFromInternetPolicyDeploymentName": "[take(concat(parameters('industry'), '-SSH', variables('deploymentSuffix')), 64)]", - "rdpFromInternetIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-RDPIdentity', variables('deploymentSuffix')), 64)]", - "storageHttpsPolicyDeploymentName": "[take(concat(parameters('industry'), '-StorageHttps', variables('deploymentSuffix')), 64)]", - "subnetNsgPolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsg', variables('deploymentSuffix')), 64)]", - "subnetNsgIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", - "playgroundSubs": "[take(concat(parameters('industry'), '-Playground', variables('deploymentSuffix')), 60)]", - "onlineLzSubs": "[take(concat(parameters('industry'), '-OnlineLzs', variables('deploymentSuffix')), 60)]", - "corpLzSubs": "[take(concat(parameters('industry'), '-CorpLzs', variables('deploymentSuffix')), 60)]", - "corpConnectedMoveLzSubs": "[take(concat(parameters('industry'), '-CorpConnLzs', variables('deploymentSuffix')), 50)]", - "corpConnectedLzSubs": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 50)]", - "privateDnsZoneRgDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSRG', variables('deploymentSuffix')), 64)]", - "privateDnsZonesDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSZones', variables('deploymentSuffix')), 35)]", - "dnsZoneRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-DNSZoneRole', variables('deploymentSuffix')), 64)]", - "dnsZoneOperatorRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-DNSZoneOperatorRole', variables('deploymentSuffix')), 64)]", - "nsgFLowLogRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-NSGFlowRole', variables('deploymentSuffix')), 64)]", - "identityPeeringDeploymentName": "[take(concat(parameters('industry'), '-IDPeering', variables('deploymentSuffix')), 64)]", - "identityVwanPeeringDeploymentName": "[take(concat(parameters('industry'), '-IDVwanPeering', variables('deploymentSuffix')), 64)]", - "corpConnectedLzVwanSubs": "[take(concat(parameters('industry'), '-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", - "logStorageDeploymentName": "[take(concat(parameters('industry'), '-LogStorage', variables('deploymentSuffix')), 64)]", - "nwDeploymentName": "[take(concat(parameters('industry'), '-NwPlatform', variables('deploymentSuffix')), 64)]", - "nwRgLzPolicyAssignment": "[take(concat(parameters('industry'), '-NwRgLz', variables('deploymentSuffix')), 64)]", - "nsgFlowLogsPlatformPolicyAssignment": "[take(concat(parameters('industry'), '-NSGFlowPlatform', variables('deploymentSuffix')), 64)]", - "nsgFLowLogsLzPolicyAssignment": "[take(concat(parameters('industry'), '-NSGFlowLz', variables('deploymentSuffix')), 64)]", - "nsgFlowLogPolicyExemption": "[take(concat(parameters('industry'), '-NSGExempt', variables('deploymentSuffix')), 64)]", - "denyVnetPeeringDeploymentName": "[take(concat(parameters('industry'), '-VNetPeering', variables('deploymentSuffix')), 64)]", - "budgetDeploymentName": "[take(concat(parameters('industry'), '-Budget', variables('deploymentSuffix')), 64)]", + "mgmtGroupDeploymentName": "[take(concat(variables('industry'), '-Mgs', variables('deploymentSuffix')), 64)]", + "policyRpRegDeploymentName": "[take(concat(variables('industry'), '-PolicyInsights', variables('deploymentSuffix')), 64)]", + "customRbacDeploymentName": "[take(concat(variables('industry'), '-RoleDefinitions', variables('deploymentSuffix')), 64)]", + "allowedRegionsDeploymentName": "[take(concat(variables('industry'), '-Azure-Regions', variables('deploymentSuffix')), 64)]", + "allowedRgRegionsDeploymentName": "[take(concat(variables('industry'), '-Azure-RG-Regions', variables('deploymentSuffix')), 64)]", + "allowedResourcesDeploymentName": "[take(concat(variables('industry'), '-Azure-Resources', variables('deploymentSuffix')), 64)]", + "centralizedLoggingDeploymentName": "[take(concat(variables('industry'), '-Centralized-Logs', variables('deploymentSuffix')), 64)]", + "compliantCorpLzDeploymentName": "[take(concat(variables('industry'), '-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", + "compliantApimDeploymentName": "[take(concat(variables('industry'), '-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceDeploymentName": "[take(concat(variables('industry'), '-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantAutomationDeploymentName": "[take(concat(variables('industry'), '-Compliant-Automation', variables('deploymentSuffix')), 64)]", + "compliantBackupDeploymentName": "[take(concat(variables('industry'), '-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantComputeDeploymentName": "[take(concat(variables('industry'), '-Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsDeploymentName": "[take(concat(variables('industry'), '-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceDeploymentName": "[take(concat(variables('industry'), '-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryDeploymentName": "[take(concat(variables('industry'), '-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbDeploymentName": "[take(concat(variables('industry'), '-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerDeploymentName": "[take(concat(variables('industry'), '-Compliant-DataExplorer', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryDeploymentName": "[take(concat(variables('industry'), '-Compliant-DataFactory', variables('deploymentSuffix')), 64)]", + "compliantEventGridDeploymentName": "[take(concat(variables('industry'), '-Compliant-EventGrid', variables('deploymentSuffix')), 64)]", + "compliantEventHubDeploymentName": "[take(concat(variables('industry'), '-Compliant-EventHub', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultDeploymentName": "[take(concat(variables('industry'), '-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantKubernetesDeploymentName": "[take(concat(variables('industry'), '-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningDeploymentName": "[take(concat(variables('industry'), '-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkDeploymentName": "[take(concat(variables('industry'), '-Compliant-Network', variables('deploymentSuffix')), 64)]", + "compliantOpenAiDeploymentName": "[take(concat(variables('industry'), '-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreDeploymentName": "[take(concat(variables('industry'), '-Compliant-Postgre', variables('deploymentSuffix')), 64)]", + "compliantServiceBusDeploymentName": "[take(concat(variables('industry'), '-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", + "compliantSqlDeploymentName": "[take(concat(variables('industry'), '-Compliant-Sql', variables('deploymentSuffix')), 64)]", + "compliantStorageDeploymentName": "[take(concat(variables('industry'), '-Compliant-Storage', variables('deploymentSuffix')), 64)]", + "compliantSynapseDeploymentName": "[take(concat(variables('industry'), '-Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "compliantVirtualDesktopDeploymentName": "[take(concat(variables('industry'), '-Compliant-AVD', variables('deploymentSuffix')), 64)]", + "mgmtSubscriptionPlacement": "[take(concat(variables('industry'), '-MgmtSub', variables('deploymentSuffix')), 64)]", + "policyIdentityDeploymentName": "[take(concat(variables('industry'), '-PolicyIdentity', variables('deploymentSuffix')), 64)]", + "policyIdentityRoleAssignmentDeploymentName": "[take(concat(variables('industry'), '-PolicyIdentityRoleAssignment', variables('deploymentSuffix')), 64)]", + "databricksSkuDeploymentName": "[take(concat(variables('industry'), '-DBSku', variables('deploymentSuffix')), 64)]", + "databricksPipDeploymentName": "[take(concat(variables('industry'), '-DBPip', variables('deploymentSuffix')), 64)]", + "databricksClusterDeploymentName": "[take(concat(variables('industry'), '-DBCluster', variables('deploymentSuffix')), 64)]", + "corpPeeringDeploymentName": "[take(concat(variables('industry'), '-CorpPeering', variables('deploymentSuffix')), 60)]", + "connectivitySubscriptionPlacement": "[take(concat(variables('industry'), '-ConnectivitySub', variables('deploymentSuffix')), 64)]", + "ingressSubscriptionPlacement": "[take(concat(variables('industry'), '-IngressSub', variables('deploymentSuffix')), 64)]", + "egressSubscriptionPlacement": "[take(concat(variables('industry'), '-EgressSub', variables('deploymentSuffix')), 64)]", + "identitySubscriptionPlacement": "[take(concat(variables('industry'), '-IdentitySub', variables('deploymentSuffix')), 64)]", + "policyDeploymentName": "[take(concat(variables('industry'), '-Policy', variables('deploymentSuffix')), 64)]", + "dataPolicyDeploymentName": "[take(concat(variables('industry'),'-Data-Policy', variables('deploymentSuffix')), 64)]", + "ddosRgDeploymentName": "[take(concat(variables('industry'), '-DDoSRg', variables('deploymentSuffix')), 64)]", + "ddosDeploymentName": "[take(concat(variables('industry'), '-DDoS', variables('deploymentSuffix')), 64)]", + "monitoringDeploymentName": "[take(concat(variables('industry'), '-Monitoring', variables('deploymentSuffix')), 64)]", + "logAnalyticsPolicyDeploymentName": "[take(concat(variables('industry'), '-LAPolicy', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsDeploymentName": "[take(concat(variables('industry'), '-Solutions', variables('deploymentSuffix')), 64)]", + "asbPolicyDeploymentName": "[take(concat(variables('industry'), '-ASB', variables('deploymentSuffix')), 64)]", + "resourceDiagnosticsPolicyDeploymentName": "[take(concat(variables('industry'), '-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", + "activityDiagnosticsPolicyDeploymentName": "[take(concat(variables('industry'), '-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", + "ascPolicyDeploymentName": "[take(concat(variables('industry'), '-ASC', variables('deploymentSuffix')), 64)]", + "ascGovPolicyDeploymentName": "[take(concat(variables('industry'), '-Gov-ASC', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubDeploymentName": "[take(concat(variables('industry'), '-HubSpoke', variables('deploymentSuffix')), 64)]", + "ingressDeploymentName": "[take(concat(variables('industry'), '-Ingress', variables('deploymentSuffix')), 64)]", + "egressDeploymentName": "[take(concat(variables('industry'), '-Egress', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubDeploymentName": "[take(concat(variables('industry'), '-VWanHub', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubDeploymentName": "[take(concat(variables('industry'), '-NVAHub', variables('deploymentSuffix')), 64)]", + "azVmMonitorPolicyDeploymentName": "[take(concat(variables('industry'), '-AzVmMonitor', variables('deploymentSuffix')), 64)]", + "defenderEndpointPolicyDeploymentName": "[take(concat(variables('industry'), '-DefenderEndpoint', variables('deploymentSuffix')), 64)]", + "azVmssMonitorPolicyDeploymentName": "[take(concat(variables('industry'),'-AzVmssMonitor', variables('deploymentSuffix')), 64)]", + "azBackupLzPolicyDeploymentName": "[take(concat(variables('industry'),'-AzBackupLz', variables('deploymentSuffix')), 64)]", + "azBackupIdentityPolicyDeploymentName": "[take(concat(variables('industry'), '-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "azPolicyForAksPolicyDeploymentName": "[take(concat(variables('industry'), '-AksPolicy', variables('deploymentSuffix')), 64)]", + "aksPrivEscalationPolicyDeploymentName": "[take(concat(variables('industry'), '-AksPrivEsc', variables('deploymentSuffix')), 64)]", + "aksHttpsPolicyDeploymentName": "[take(concat(variables('industry'), '-AksHttps', variables('deploymentSuffix')), 64)]", + "aksPrivilegedPolicyDeploymentName": "[take(concat(variables('industry'), '-AksPrivileged', variables('deploymentSuffix')), 64)]", + "tlsSslPolicyDeploymentName": "[take(concat(variables('industry'), '-TLSSSL', variables('deploymentSuffix')), 64)]", + "ipFwPolicyDeploymentName": "[take(concat(variables('industry'), '-IPFwd', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDeploymentName": "[take(concat(variables('industry'), '-PEndpoint', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDefinitionName": "[take(concat(variables('industry'), '-Policy-PEndpoints', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDefinitionName": "[take(concat(variables('industry'), '-Policy-PrivateDns', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDeploymentName": "[take(concat(variables('industry'), '-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", + "pipPolicyDeploymentName": "[take(concat(variables('industry'), '-PIP', variables('deploymentSuffix')), 64)]", + "rdpFromInternetPolicyDeploymentName": "[take(concat(variables('industry'), '-RDP', variables('deploymentSuffix')), 64)]", + "sshFromInternetPolicyDeploymentName": "[take(concat(variables('industry'), '-SSH', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityPolicyDeploymentName": "[take(concat(variables('industry'), '-RDPIdentity', variables('deploymentSuffix')), 64)]", + "storageHttpsPolicyDeploymentName": "[take(concat(variables('industry'), '-StorageHttps', variables('deploymentSuffix')), 64)]", + "subnetNsgPolicyDeploymentName": "[take(concat(variables('industry'), '-SubnetNsg', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityPolicyDeploymentName": "[take(concat(variables('industry'), '-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "playgroundSubs": "[take(concat(variables('industry'), '-Playground', variables('deploymentSuffix')), 60)]", + "onlineLzSubs": "[take(concat(variables('industry'), '-OnlineLzs', variables('deploymentSuffix')), 60)]", + "corpLzSubs": "[take(concat(variables('industry'), '-CorpLzs', variables('deploymentSuffix')), 60)]", + "corpConnectedMoveLzSubs": "[take(concat(variables('industry'), '-CorpConnLzs', variables('deploymentSuffix')), 50)]", + "corpConnectedLzSubs": "[take(concat(variables('industry'), '-CorpPeering', variables('deploymentSuffix')), 50)]", + "privateDnsZoneRgDeploymentName": "[take(concat(variables('industry'), '-PrivDNSRG', variables('deploymentSuffix')), 64)]", + "privateDnsZonesDeploymentName": "[take(concat(variables('industry'), '-PrivDNSZones', variables('deploymentSuffix')), 35)]", + "dnsZoneRoleAssignmentDeploymentName": "[take(concat(variables('industry'), '-DNSZoneRole', variables('deploymentSuffix')), 64)]", + "dnsZoneOperatorRoleAssignmentDeploymentName": "[take(concat(variables('industry'), '-DNSZoneOperatorRole', variables('deploymentSuffix')), 64)]", + "nsgFLowLogRoleAssignmentDeploymentName": "[take(concat(variables('industry'), '-NSGFlowRole', variables('deploymentSuffix')), 64)]", + "identityPeeringDeploymentName": "[take(concat(variables('industry'), '-IDPeering', variables('deploymentSuffix')), 64)]", + "identityVwanPeeringDeploymentName": "[take(concat(variables('industry'), '-IDVwanPeering', variables('deploymentSuffix')), 64)]", + "corpConnectedLzVwanSubs": "[take(concat(variables('industry'), '-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", + "logStorageDeploymentName": "[take(concat(variables('industry'), '-LogStorage', variables('deploymentSuffix')), 64)]", + "nwDeploymentName": "[take(concat(variables('industry'), '-NwPlatform', variables('deploymentSuffix')), 64)]", + "nwRgLzPolicyAssignment": "[take(concat(variables('industry'), '-NwRgLz', variables('deploymentSuffix')), 64)]", + "nsgFlowLogsPlatformPolicyAssignment": "[take(concat(variables('industry'), '-NSGFlowPlatform', variables('deploymentSuffix')), 64)]", + "nsgFLowLogsLzPolicyAssignment": "[take(concat(variables('industry'), '-NSGFlowLz', variables('deploymentSuffix')), 64)]", + "nsgFlowLogPolicyExemption": "[take(concat(variables('industry'), '-NSGExempt', variables('deploymentSuffix')), 64)]", + "denyVnetPeeringDeploymentName": "[take(concat(variables('industry'), '-VNetPeering', variables('deploymentSuffix')), 64)]", + "budgetDeploymentName": "[take(concat(variables('industry'), '-Budget', variables('deploymentSuffix')), 64)]", // Compliant Azure Service Policy Assignment deployment names - "centralizedPlaygroundLogsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Logging-Playground', variables('deploymentSuffix')), 64)]", - "centralizedPlatformLogsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Logging-Platform', variables('deploymentSuffix')), 64)]", - "compliantCorpLzAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", - "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", - "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", - "compliantCosmosDbAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", - "compliantComputeAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", - "compliantDataExplorerAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADE', variables('deploymentSuffix')), 64)]", - "compliantDataFactoryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADF', variables('deploymentSuffix')), 64)]", - "compliantEventGridAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EG', variables('deploymentSuffix')), 64)]", - "compliantEventHubAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EH', variables('deploymentSuffix')), 64)]", - "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", - "compliantOpenAiAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", - "compliantPostgreAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Postgre', variables('deploymentSuffix')), 64)]", - "compliantSqlAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-SQL', variables('deploymentSuffix')), 64)]", - "compliantSynapseAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Synapse', variables('deploymentSuffix')), 64)]", - "compliantMachineLearningAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", - "compliantNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", - "compliantPlatformNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-PlatformNetwork', variables('deploymentSuffix')), 64)]", - "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", - "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", - "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", - "compliantServiceBusAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", - "compliantKubernetesAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", - "compliantStorageAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Storage', variables('deploymentSuffix')), 64)]", - "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", - "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", - "compliantVirtualDesktopAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AVD', variables('deploymentSuffix')), 64)]", + "centralizedPlaygroundLogsAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Logging-Playground', variables('deploymentSuffix')), 64)]", + "centralizedPlatformLogsAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Logging-Platform', variables('deploymentSuffix')), 64)]", + "compliantCorpLzAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", + "compliantAutomationAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", + "compliantBackupAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", + "compliantComputeAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-ADE', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-ADF', variables('deploymentSuffix')), 64)]", + "compliantEventGridAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-EG', variables('deploymentSuffix')), 64)]", + "compliantEventHubAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-EH', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantOpenAiAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Postgre', variables('deploymentSuffix')), 64)]", + "compliantSqlAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-SQL', variables('deploymentSuffix')), 64)]", + "compliantSynapseAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", + "compliantPlatformNetworkAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-PlatformNetwork', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantServiceBusAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", + "compliantKubernetesAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantStorageAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Storage', variables('deploymentSuffix')), 64)]", + "compliantApimAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantVirtualDesktopAssignmentDeploymentName": "[take(concat(variables('industry'), '-Enforce-Compliant-AVD', variables('deploymentSuffix')), 64)]", // Telco specific policies assignment deployments - "erHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaEr', variables('deploymentSuffix')), 64)]", - "pipHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaPip', variables('deploymentSuffix')), 64)]", - "privateDnsOperatorPolicyDeploymentName": "[take(concat(parameters('industry'), '-PrivateDNSOperator',variables('deploymentSuffix')), 64)]" + "erHaPolicyAssignment": "[take(concat(variables('industry'), '-DenyNonHaEr', variables('deploymentSuffix')), 64)]", + "pipHaPolicyAssignment": "[take(concat(variables('industry'), '-DenyNonHaPip', variables('deploymentSuffix')), 64)]", + "privateDnsOperatorPolicyDeploymentName": "[take(concat(variables('industry'), '-PrivateDNSOperator',variables('deploymentSuffix')), 64)]" }, // Declaring deterministic names for Resource Groups that will be created for platform resources "platformRgNames": { @@ -2757,6 +2721,9 @@ "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" + }, + "scope": { + "value": "[variables('scopes').industryRootManagementGroup]" } } } @@ -3821,6 +3788,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').managementManagementGroup]" } } } @@ -3845,7 +3815,11 @@ "contentVersion": "1.0.0.0", "uri": "[variables('deploymentUris').asbPolicyInitiative]" }, - "parameters": {} + "parameters": { + "scope": { + "value": "[variables('scopes').industryRootManagementGroup]" + } + } } }, { @@ -3876,6 +3850,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } @@ -3908,6 +3885,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').playgroundManagementGroup]" } } } @@ -3939,6 +3919,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').industryRootManagementGroup]" } } } @@ -4041,6 +4024,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').industryRootManagementGroup]" } } } @@ -4068,6 +4054,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').industryRootManagementGroup]" } } } @@ -4184,36 +4173,6 @@ } } }, - { - // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true - "condition": "[and(or(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ddosHubPolicyDeploymentName]", - "scope": "[variables('scopes').connectivityManagementGroup]", - "location": "[deployment().location]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" - ], - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').ddosPolicyAssignment]" - }, - "parameters": { - "ddosPlanResourceId": { - "value": "[variables('platformResourceIds').ddosProtectionResourceId]" - }, - "topLevelManagementGroupPrefix": { - "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" - }, - "enforcementMode": { - "value": "[if(equals(parameters('enableDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" - } - } - } - }, { // Creating the virtual network hub (hub and spoke) "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", @@ -4711,6 +4670,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } @@ -4738,6 +4700,9 @@ "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } @@ -4798,6 +4763,9 @@ "Global", "[if(empty(parameters('location')), deployment().location, parameters('location'))]" ] + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -4826,7 +4794,9 @@ "value": [ "[if(empty(parameters('location')), deployment().location, parameters('location'))]" ] - } + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]"} // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } @@ -4852,6 +4822,9 @@ "parameters": { "listOfResourceTypesAllowed": { "value": "[variables('allowedResourcesMap')]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -4904,6 +4877,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } @@ -4940,6 +4916,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -4983,6 +4962,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5020,6 +5002,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5054,6 +5039,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5085,6 +5073,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5116,6 +5107,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5147,6 +5141,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5184,6 +5181,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5221,6 +5221,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5258,6 +5261,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5295,6 +5301,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5338,6 +5347,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5387,6 +5399,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5424,6 +5439,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5467,6 +5485,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5504,6 +5525,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5607,6 +5631,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5710,6 +5737,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5747,6 +5777,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -5784,6 +5817,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } @@ -5820,6 +5856,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } @@ -5871,6 +5910,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } @@ -5931,6 +5973,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -6154,6 +6199,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').corpManagementGroup]" } // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } @@ -6194,6 +6242,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } @@ -6242,6 +6293,9 @@ }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } @@ -6272,7 +6326,7 @@ }, "enforcementMode": { "value": "Default" - } + } } } }, @@ -6300,7 +6354,10 @@ }, "enforcementMode": { "value": "Default" - } + }, + "scope": { + "value": "[variables('scopes').identityManagementGroup]" + } } } }, @@ -6328,7 +6385,10 @@ }, "enforcementMode": { "value": "Default" - } + }, + "scope": { + "value": "[variables('scopes').identityManagementGroup]" + } } } }, @@ -6356,7 +6416,10 @@ }, "enforcementMode": { "value": "Default" - } + }, + "scope": { + "value": "[variables('scopes').identityManagementGroup]" + } } } }, @@ -6507,7 +6570,10 @@ "parameters": { "enforcementMode": { "value": "Default" - } + }, + "scope": { + "value": "[variables('scopes').playgroundManagementGroup]" + } } } }, @@ -6537,6 +6603,12 @@ }, "amount": { "value": "[parameters('budgetAmount')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').playgroundManagementGroup]" } } } From a20bcd43d486c57f851e63a0c59a3a1f7ce6cceb Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 21 Mar 2023 10:06:39 +0100 Subject: [PATCH 2/3] update of budget --- .../policyAssignments/DINE-BudgetPolicyAssignment.json | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json index 38ec978a..b73ac55c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json @@ -39,17 +39,13 @@ "variables": { "policyDefinitions": { "deployBudget": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget')]" - }, + }, "policyAssignmentNames": { "budget": "Deploy-Budget", "description": "Ensure there is a budget on all subscriptions under the assigned scope to control cost and spending.", "displayName": "Ensure there is a budget associated with the subscription" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployBudget": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').budget))]" - } - }, + } + }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", From 2609e2bf38cd4054444a8e7203b8675e20ccbafc Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 21 Mar 2023 19:16:40 +0100 Subject: [PATCH 3/3] updated centralized logging to use built-ins only --- ...entralized-LoggingPolicySetDefinition.json | 103 +----------------- 1 file changed, 2 insertions(+), 101 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json index 061ef905..9ba206e6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Centralized-LoggingPolicySetDefinition.json @@ -8,39 +8,15 @@ } }, "variables": { - "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - "policies": { - "policyDefinitions": [] - } + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" }, "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "name": "[variables('policies').policyDefinitions[copyIndex()].name]", - "apiVersion": "2019-09-01", - "scope": "[variables('scope')]", - "copy": { - "name": "policyDefinitionCopy", - "count": "[length(variables('policies').policyDefinitions)]" - }, - "properties": { - "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", - "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", - "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", - "policyType": "Custom", - "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", - "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", - "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" - } - }, { "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", "name": "Centralized-Logging", "scope": "[variables('scope')]", - "dependsOn": [ - "policyDefinitionCopy" - ], + "dependsOn": [], "properties": { "metadata": { "version": "1.0.0", @@ -850,81 +826,6 @@ "value": "[[parameters('logCategories')]" } } - }, - { - "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-ExpressRouteCircuit')]", - "policyDefinitionReferenceId": "Dine-Diagnostics-Er", - "groupNames": [ - "Logging" - ], - "parameters": { - "effect": { - "value": "[[parameters('enableLogAnalytics')]" - }, - "logAnalytics": { - "value": "[[parameters('logAnalyticsWorkspaceId')]" - } - } - }, - { - "policyDefinitionId": "[concat(variables('scope'),'/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-Vnet')]", - "policyDefinitionReferenceId": "Dine-Diagnostics-Vnet", - "groupNames": [ - "Logging" - ], - "parameters": { - "effect": { - "value": "[[parameters('enableLogAnalytics')]" - }, - "logAnalytics": { - "value": "[[parameters('logAnalyticsWorkspaceId')]" - } - } - }, - { - "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-TrafficManager')]", - "policyDefinitionReferenceId": "Dine-Diagnostics-Tm", - "groupNames": [ - "Logging" - ], - "parameters": { - "effect": { - "value": "[[parameters('enableLogAnalytics')]" - }, - "logAnalytics": { - "value": "[[parameters('logAnalyticsWorkspaceId')]" - } - } - }, - { - "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-LoadBalancer')]", - "policyDefinitionReferenceId": "Dine-Diagnostics-Lb", - "groupNames": [ - "Logging" - ], - "parameters": { - "effect": { - "value": "[[parameters('enableLogAnalytics')]" - }, - "logAnalytics": { - "value": "[[parameters('logAnalyticsWorkspaceId')]" - } - } - }, - { - "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Dine-Diagnostics-FrontDoor')]", - "policyDefinitionReferenceId": "Dine-Diagnostics-Fd", - "groupNames": [ - "Logging" - ], - "parameters": { - "effect": { - "value": "[[parameters('enableLogAnalytics')]" - }, - "logAnalytics": { - "value": "[[parameters('logAnalyticsWorkspaceId')]" - } - } } ] }