diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json index bbfee4fd..78d5bbb3 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json @@ -22,7 +22,7 @@ "landingZoneMgs": { "type": "array", "defaultValue": [ - "online", + "cloud-native", "corp" ], "metadata": { @@ -164,6 +164,33 @@ } } } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('Consistency-', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Management/managementGroups', variables('managementGroups').landingZone)]" + ], + "copy": { + "batchSize": 1, + "count": 21, + "mode": "Serial", + "name": "Consistency" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json index aa56a63b..9e30c164 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json @@ -11,7 +11,7 @@ "landingZoneMgs": { "type": "array", "defaultValue": [ - "online", + "cloud-native", "corp" ], "metadata": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json new file mode 100644 index 00000000..4dc42777 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "apimDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "apimLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantApim": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-API-Management')]" + }, + "policyAssignmentNames": { + "apim": "Compliant-Apim", + "description": "This policy initiative is a group of policies that ensures API Management is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default API Management for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').apim]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantApim]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "apimDiagnostics": { + "value": "[parameters('apimDiagnostics')]" + }, + "apimLogAnalyticsWorkspaceId": { + "value": "[parameters('apimLogAnalyticsWorkspaceId')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json new file mode 100644 index 00000000..2a471dc4 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json @@ -0,0 +1,92 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "functionDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "appServiceDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAppService": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-App-Service')]" + }, + "policyAssignmentNames": { + "appService": "Compliant-AppService", + "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default App Service for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').appService]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAppService]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "functionDiagnostics": { + "value": "[parameters('functionDiagnostics')]" + }, + "functionLogAnalyticsWorkspaceId": { + "value": "[parameters('functionLogAnalyticsWorkspaceId')]" + }, + "appServiceDiagnostics": { + "value": "[parameters('appServiceDiagnostics')]" + }, + "appServiceLogAnalyticsWorkspaceId": { + "value": "[parameters('appServiceLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json new file mode 100644 index 00000000..9abdecb6 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "aaLogAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Provide the Log Analytics Workspace ID for Key Vault" + } + }, + "aaDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAa": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Automation-Account')]" + }, + "policyAssignmentNames": { + "aa": "Compliant-Automation", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Automation Account for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').aa]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAa]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "aaLogAnalyticsWorkspaceId": { + "value": "[parameters('aaLogAnalyticsWorkspaceId')]" + }, + "aaDiagnostics": { + "value": "[parameters('aaDiagnostics')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json new file mode 100644 index 00000000..4f3daa13 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json @@ -0,0 +1,63 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "asrLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Backup')]" + }, + "policyAssignmentNames": { + "backup": "Compliant-Backup", + "description": "This policy initiative is a group of policies that ensures Backup is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Backup for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').backup]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantBackup]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "asrLogAnalyticsWorkspaceId": { + "value": "[parameters('asrLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json new file mode 100644 index 00000000..0c7c897f --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compute": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Compute')]" + }, + "policyAssignmentNames": { + "compute": "Compliant-Compute", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Compute for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').compute]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compute]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json new file mode 100644 index 00000000..152639e1 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "conApps": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerApps')]" + }, + "policyAssignmentNames": { + "con": "Compliant-ContainerApps", + "description": "This policy initiative is a group of policies that ensures Container Apps are compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Container Apps for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').con]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').conApps]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json new file mode 100644 index 00000000..3c6f29ee --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "conInstance": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerInstance')]" + }, + "policyAssignmentNames": { + "con": "Compliant-ConInstance", + "description": "This policy initiative is a group of policies that ensures Container Instance is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Container Instance for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').con]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').conInstance]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json new file mode 100644 index 00000000..370053c9 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "containerRegistryDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "conRegistry": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerRegistry')]" + }, + "policyAssignmentNames": { + "con": "Compliant-ConRegistry", + "description": "This policy initiative is a group of policies that ensures Container Registry is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Container Registry for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').con]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').conRegistry]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "containerRegistryDiagnostics": { + "value": "[parameters('containerRegistryDiagnostics')]" + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "value": "[parameters('containerRegistryLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json new file mode 100644 index 00000000..a285b3c0 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json @@ -0,0 +1,520 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "storageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileSyncPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageFileSyncPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "appServiceAppsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "asrPrivateDnsZone-Backup": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Blob": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Queue": { + "type": "string", + "defaultValue": "" + }, + "diskPrivateDns": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "diskPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "adfPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventHubNamespacesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cognitiveServicesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusDinePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "sqlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "connection" + }, + "avdWorkspacePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspacePrivateEndpointGroupId": { + "type": "string", + "defaultValue": "feed" + }, + "userAssignedIdentityResourceId": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "policyDefinitions": { + "compliantCorpLz": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Corp-Lz')]" + }, + "policyAssignmentNames": { + "corpLz": "Compliant-Corp-Lz", + "description": "This policy initiative is a group of policies that ensures Corp Connected Landing Zones are compliant per Financial Services Industry requirements", + "displayName": "Enforce secure-by-default Corp Connected Landing Zones for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').corpLz]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantCorpLz]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "avdHostPoolPrivateDnsZone": { + "value": "[parameters('avdHostPoolPrivateDnsZone')]" + }, + "avdHostPoolPrivateDnsZoneId": { + "value": "[parameters('avdHostPoolPrivateDnsZoneId')]" + }, + "avdHostPoolPrivateEndpointGroupId": { + "value": "[parameters('avdHostPoolPrivateEndpointGroupId')]" + }, + "avdWorkspacePrivateDnsZone": { + "value": "[parameters('avdWorkspacePrivateDnsZone')]" + }, + "avdWorkspacePrivateDnsZoneId": { + "value": "[parameters('avdWorkspacePrivateDnsZoneId')]" + }, + "avdWorkspacePrivateEndpointGroupId": { + "value": "[parameters('avdWorkspacePrivateEndpointGroupId')]" + }, + "storageTablePrivateDnsZone": { + "value": "[parameters('storageTablePrivateDnsZone')]" + }, + "storageTablePrivateDnsZoneId": { + "value": "[parameters('storageTablePrivateDnsZoneId')]" + }, + "storageSecondaryTablePrivateDnsZone": { + "value": "[parameters('storageSecondaryTablePrivateDnsZone')]" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "value": "[parameters('storageSecondaryTablePrivateDnsZoneId')]" + }, + "storageFileSyncPrivateDnsZone": { + "value": "[parameters('storageFileSyncPrivateDnsZone')]" + }, + "storageFileSyncPrivateDnsZoneId": { + "value": "[parameters('storageFileSyncPrivateDnsZoneId')]" + }, + "storageFileDnsZone": { + "value": "[parameters('storageFileDnsZone')]" + }, + "storageFileDnsZoneId": { + "value": "[parameters('storageFileDnsZoneId')]" + }, + "storageBlobPrivateDnsZone": { + "value": "[parameters('storageBlobPrivateDnsZone')]" + }, + "storageBlobPrivateDnsZoneId": { + "value": "[parameters('storageBlobPrivateDnsZoneId')]" + }, + "storageSecondaryBlobPrivateDnsZone": { + "value": "[parameters('storageSecondaryBlobPrivateDnsZone')]" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryBlobPrivateDnsZoneId')]" + }, + "storageDfsPrivateDnsZone": { + "value": "[parameters('storageDfsPrivateDnsZone')]" + }, + "storageDfsPrivateDnsZoneId": { + "value": "[parameters('storageDfsPrivateDnsZoneId')]" + }, + "storageSecondaryDfsPrivateDnsZone": { + "value": "[parameters('storageSecondaryDfsPrivateDnsZone')]" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryDfsPrivateDnsZoneId')]" + }, + "storageQueuePrivateDnsZone": { + "value": "[parameters('storageQueuePrivateDnsZone')]" + }, + "storageQueuePrivateDnsZoneId": { + "value": "[parameters('storageQueuePrivateDnsZoneId')]" + }, + "storageSecondaryQueuePrivateDnsZone": { + "value": "[parameters('storageSecondaryQueuePrivateDnsZone')]" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "value": "[parameters('storageSecondaryQueuePrivateDnsZoneId')]" + }, + "storageWebPrivateDnsZone": { + "value": "[parameters('storageWebPrivateDnsZone')]" + }, + "storageWebPrivateDnsZoneId": { + "value": "[parameters('storageWebPrivateDnsZoneId')]" + }, + "storageSecondaryWebPrivateDnsZone": { + "value": "[parameters('storageSecondaryWebPrivateDnsZone')]" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryWebPrivateDnsZoneId')]" + }, + "aaPrivateDnsZoneId": { + "value": "[parameters('aaPrivateDnsZoneId')]" + }, + "aaPrivateDnsZone": { + "value": "[parameters('aaPrivateDnsZone')]" + }, + "appServiceAppsPrivateDnsZone": { + "value": "[parameters('appServiceAppsPrivateDnsZone')]" + }, + "appServiceAppsPrivateDnsZoneId": { + "value": "[parameters('appServiceAppsPrivateDnsZoneId')]" + }, + "asrPrivateDnsZone": { + "value": "[parameters('asrPrivateDnsZone')]" + }, + "asrPrivateDnsZone-Backup": { + "value": "[parameters('asrPrivateDnsZone-Backup')]" + }, + "asrPrivateDnsZone-Blob": { + "value": "[parameters('asrPrivateDnsZone-Blob')]" + }, + "asrPrivateDnsZone-Queue": { + "value": "[parameters('asrPrivateDnsZone-Queue')]" + }, + "diskPrivateDns": { + "value": "[parameters('diskPrivateDns')]" + }, + "diskPrivateDnsZoneId": { + "value": "[parameters('diskPrivateDnsZoneId')]" + }, + "containerRegistryPrivateDnsZone": { + "value": "[parameters('containerRegistryPrivateDnsZone')]" + }, + "containerRegistryPrivateDnsZoneId": { + "value": "[parameters('containerRegistryPrivateDnsZoneId')]" + }, + "cosmosDbPrivateDnsZone": { + "value": "[parameters('cosmosDbPrivateDnsZone')]" + }, + "cosmosDbPrivateDnsZoneId": { + "value": "[parameters('cosmosDbPrivateDnsZoneId')]" + }, + "cosmosDbPrivateEndpointGroupId": { + "value": "[parameters('cosmosDbPrivateEndpointGroupId')]" + }, + "adfPrivateDnsZone": { + "value": "[parameters('adfPrivateDnsZone')]" + }, + "adfPrivateDnsZoneId": { + "value": "[parameters('adfPrivateDnsZoneId')]" + }, + "eventGridDomainPrivateDnsZone": { + "value": "[parameters('eventGridDomainPrivateDnsZone')]" + }, + "eventGridDomainPrivateDnsZoneId": { + "value": "[parameters('eventGridDomainPrivateDnsZoneId')]" + }, + "eventGridTopicPrivateDnsZone": { + "value": "[parameters('eventGridTopicPrivateDnsZone')]" + }, + "eventGridTopicPrivateDnsZoneId": { + "value": "[parameters('eventGridTopicPrivateDnsZoneId')]" + }, + "eventHubNamespacesPrivateDnsZone": { + "value": "[parameters('eventHubNamespacesPrivateDnsZone')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[parameters('eventHubNamespacesPrivateDnsZoneId')]" + }, + "keyVaultPrivateDnsZoneId": { + "value": "[parameters('keyVaultPrivateDnsZoneId')]" + }, + "keyVaultPrivateDnsZone": { + "value": "[parameters('keyVaultPrivateDnsZone')]" + }, + "mlPrivateDnsZone": { + "value": "[parameters('mlPrivateDnsZone')]" + }, + "mlPrivateDnsZoneId": { + "value": "[parameters('mlPrivateDnsZoneId')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[parameters('mlSecondPrivateDnsZoneId')]" + }, + "cognitiveServicesPrivateDnsZone": { + "value": "[parameters('cognitiveServicesPrivateDnsZone')]" + }, + "cognitiveServicesPrivateDnsZoneId": { + "value": "[parameters('cognitiveServicesPrivateDnsZoneId')]" + }, + "serviceBusDinePrivateDnsZone": { + "value": "[parameters('serviceBusDinePrivateDnsZone')]" + }, + "serviceBusPrivateDnsZoneId": { + "value": "[parameters('serviceBusPrivateDnsZoneId')]" + }, + "synapsePrivateDnsZone": { + "value": "[parameters('synapsePrivateDnsZone')]" + }, + "synapsePrivateDnsZoneId": { + "value": "[parameters('synapsePrivateDnsZoneId')]" + }, + "sqlPrivateDnsZone": { + "value": "[parameters('sqlPrivateDnsZone')]" + }, + "sqlPrivateDnsZoneId": { + "value": "[parameters('sqlPrivateDnsZoneId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json new file mode 100644 index 00000000..7dabafb0 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "cosmosDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantCosmos": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-CosmosDb')]" + }, + "policyAssignmentNames": { + "cosmos": "Compliant-CosmosDb", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Cosmos DB for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').cosmos]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantCosmos]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "cosmosDiagnostics": { + "value": "[parameters('cosmosDiagnostics')]" + }, + "cosmosLogAnalyticsWorkspaceId": { + "value": "[parameters('cosmosLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json new file mode 100644 index 00000000..0862ebf0 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "adeDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "adeLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAde": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Data-Explorer')]" + }, + "policyAssignmentNames": { + "ade": "Compliant-DEx", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Data Explorer for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').ade]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAde]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "adeDiagnostics": { + "value": "[parameters('adeDiagnostics')]" + }, + "adeLogAnalyticsWorkspaceId": { + "value": "[parameters('adeLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json new file mode 100644 index 00000000..6dd90947 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "adfDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "adfLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAdf": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-DataFactory')]" + }, + "policyAssignmentNames": { + "adf": "Compliant-DataFactory", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Data Factory for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').adf]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAdf]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "adfDiagnostics": { + "value": "[parameters('adfDiagnostics')]" + }, + "adfLogAnalyticsWorkspaceId": { + "value": "[parameters('adfLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json new file mode 100644 index 00000000..12581e69 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json @@ -0,0 +1,107 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "eventGridPartnerDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantEg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Event-Grid')]" + }, + "policyAssignmentNames": { + "eg": "Compliant-Event-Grid", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Event Grid for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').eg]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantEg]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "eventGridPartnerDiagnostics": { + "value": "[parameters('eventGridPartnerDiagnostics')]" + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "value": "[parameters('eventGridPartnerLogAnalyticsWorkspaceId')]" + }, + "eventGridTopicDiagnostics": { + "value": "[parameters('eventGridTopicDiagnostics')]" + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "value": "[parameters('eventGridTopicLogAnalyticsWorkspaceId')]" + }, + "eventGridDomainDiagnostics": { + "value": "[parameters('eventGridDomainDiagnostics')]" + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "value": "[parameters('eventGridDomainLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json new file mode 100644 index 00000000..13cbd8d4 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "eventHubDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventHubLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantEh": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Event-Hub')]" + }, + "policyAssignmentNames": { + "eh": "Compliant-Event-Hub", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Event Hub for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').eh]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantEh]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "eventHubDiagnostics": { + "value": "[parameters('eventHubDiagnostics')]" + }, + "eventHubLogAnalyticsWorkspaceId": { + "value": "[parameters('eventHubLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json new file mode 100644 index 00000000..edd6fe08 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "keyVaultLogAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Provide the Log Analytics Workspace ID for Key Vault" + } + }, + "keyVaultDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "hsmDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "hsmLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Key-Vault')]" + }, + "policyAssignmentNames": { + "keyVault": "Compliant-Key-Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Key Vault for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').keyVault]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantKeyVault]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "keyVaultLogAnalyticsWorkspaceId": { + "value": "[parameters('keyVaultLogAnalyticsWorkspaceId')]" + }, + "keyVaultDiagnostics": { + "value": "[parameters('keyVaultDiagnostics')]" + }, + "hsmDiagnostics": { + "value": "[parameters('hsmDiagnostics')]" + }, + "hsmLogAnalyticsWorkspaceId": { + "value": "[parameters('hsmLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json new file mode 100644 index 00000000..80545e82 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json @@ -0,0 +1,91 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "aksDefender": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "type": "string", + "defaultValue": "" + }, + "aksDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAks": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Kubernetes')]" + }, + "policyAssignmentNames": { + "aks": "Compliant-Kubernetes", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Kubernetes for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').aks]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAks]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "aksDefender": { + "value": "[parameters('aksDefender')]" + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "value": "[parameters('aksDefenderLogAnalyticsWorkspaceResourceId')]" + }, + "aksDiagnostics": { + "value": "[parameters('aksDiagnostics')]" + }, + "aksLogAnalyticsWorkspaceId": { + "value": "[parameters('aksLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json new file mode 100644 index 00000000..ed3e0c31 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "mlDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "mlLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantMl": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Machine-Learning')]" + }, + "policyAssignmentNames": { + "ml": "Compliant-ML", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Machine Learning for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').ml]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantMl]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "mlDiagnostics": { + "value": "[parameters('mlDiagnostics')]" + }, + "mlLogAnalyticsWorkspaceId": { + "value": "[parameters('mlLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json new file mode 100644 index 00000000..3c4c196d --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json @@ -0,0 +1,264 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "nsgDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "nsgLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "lbDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "fdDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "tmDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "vnetDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "erDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "bastionDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "bastionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "fdCdnDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "fdCdnLogAnalyticsWorkpaceId": { + "type": "string", + "defaultValue": "" + }, + "pipDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "pipLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "gwDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "gwLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "p2sDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "p2sLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantNw": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Network')]" + }, + "policyAssignmentNames": { + "nw": "Compliant-Network", + "description": "This policy initiative is a group of policies that ensures Network and Networking Services are compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Network and Networking Services for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').nw]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantNw]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "vnetModifyDdos": { + "value": "[parameters('vnetModifyDdos')]" + }, + "ddosPlanResourceId": { + "value": "[parameters('ddosPlanResourceId')]" + }, + "nsgDiagnostics": { + "value": "[parameters('nsgDiagnostics')]" + }, + "nsgLogAnalyticsWorkspaceId": { + "value": "[parameters('nsgLogAnalyticsWorkspaceId')]" + }, + "lbDiagnostics": { + "value": "[parameters('lbDiagnostics')]" + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('lbDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "fdDiagnostics": { + "value": "[parameters('fdDiagnostics')]" + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('fdDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "tmDiagnostics": { + "value": "[parameters('tmDiagnostics')]" + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('tmDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "vnetDiagnostics": { + "value": "[parameters('vnetDiagnostics')]" + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('vnetDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "erDiagnostics": { + "value": "[parameters('erDiagnostics')]" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('erDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "bastionDiagnostics": { + "value": "[parameters('bastionDiagnostics')]" + }, + "bastionLogAnalyticsWorkspaceId": { + "value": "[parameters('bastionLogAnalyticsWorkspaceId')]" + }, + "fdCdnDiagnostics": { + "value": "[parameters('fdCdnDiagnostics')]" + }, + "fdCdnLogAnalyticsWorkpaceId": { + "value": "[parameters('fdCdnLogAnalyticsWorkpaceId')]" + }, + "pipDiagnostics": { + "value": "[parameters('pipDiagnostics')]" + }, + "pipLogAnalyticsWorkspaceId": { + "value": "[parameters('pipLogAnalyticsWorkspaceId')]" + }, + "gwDiagnostics": { + "value": "[parameters('gwDiagnostics')]" + }, + "gwLogAnalyticsWorkspaceId": { + "value": "[parameters('gwLogAnalyticsWorkspaceId')]" + }, + "p2sDiagnostics": { + "value": "[parameters('p2sDiagnostics')]" + }, + "p2sLogAnalyticsWorkspaceId": { + "value": "[parameters('p2sLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json new file mode 100644 index 00000000..bf3b460c --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json @@ -0,0 +1,55 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantOpenAi": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-OpenAi')]" + }, + "policyAssignmentNames": { + "openAI": "Compliant-OpenAi", + "description": "This policy initiative is a group of policies that ensures Open Ai (Cognitive Service) is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Open Ai (Cognitive Service) for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').openAi]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantOpenAi]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json new file mode 100644 index 00000000..a44edc29 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "postgreDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "postgreLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantPostgre": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-PostgreSQL')]" + }, + "policyAssignmentNames": { + "postgre": "Compliant-PostgreSQL", + "description": "This policy initiative is a group of policies that ensures Postgre SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Postgre SQL for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').postgre]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantPostgre]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "postgreDiagnostics": { + "value": "[parameters('postgreDiagnostics')]" + }, + "postgreLogAnalyticsWorkspaceId": { + "value": "[parameters('postgreLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json new file mode 100644 index 00000000..b8ec96d7 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json @@ -0,0 +1,121 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "sqlServerDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbServerDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlDbAllDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSql": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Sql')]" + }, + "policyAssignmentNames": { + "sql": "Compliant-Sql", + "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default SQL for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').sql]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "sqlServerDiagnostics": { + "value": "[parameters('sqlServerDiagnostics')]" + }, + "sqlServerLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlServerLogAnalyticsWorkspaceId')]" + }, + "sqlManagedDefender": { + "value": "[parameters('sqlManagedDefender')]" + }, + "sqlDbServerDiagnostics": { + "value": "[parameters('sqlDbServerDiagnostics')]" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlDbServerLogAnalyticsWorkspaceId')]" + }, + "sqlDbAllDiagnostics": { + "value": "[parameters('sqlDbAllDiagnostics')]" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlDbAllLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json new file mode 100644 index 00000000..b2610d00 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "ServiceBusLogAnalyticsWorkspaceId": { + "type": "String", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSb": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Service-Bus')]" + }, + "policyAssignmentNames": { + "sb": "Compliant-Service-Bus", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Service Bus for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').sb]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSb]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "ServiceBusLogAnalyticsEffect": { + "value": "[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "ServiceBusLogAnalyticsWorkspaceId": { + "value": "[parameters('ServiceBusLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json new file mode 100644 index 00000000..9588dca3 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json @@ -0,0 +1,138 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "storageFileSyncDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageFileSyncLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageTableDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageTableLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageAccountsDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageAccountsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageQueueDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageQueueLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantStorage": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Storage')]" + }, + "policyAssignmentNames": { + "storage": "Compliant-Storage", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Storage for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').storage]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantStorage]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "storageFileSyncDiagnostics": { + "value": "[parameters('storageFileSyncDiagnostics')]" + }, + "storageFileSyncLogAnalyticsWorkspaceId": { + "value": "[parameters('storageFileSyncLogAnalyticsWorkspaceId')]" + }, + "storageTableDiagnostics": { + "value": "[parameters('storageTableDiagnostics')]" + }, + "storageTableLogAnalyticsWorkspaceId": { + "value": "[parameters('storageTableLogAnalyticsWorkspaceId')]" + }, + "storageAccountsDiagnostics": { + "value": "[parameters('storageAccountsDiagnostics')]" + }, + "storageAccountsLogAnalyticsWorkspaceId": { + "value": "[parameters('storageAccountsLogAnalyticsWorkspaceId')]" + }, + "storageQueueDiagnostics": { + "value": "[parameters('storageQueueDiagnostics')]" + }, + "storageQueueLogAnalyticsWorkspaceId": { + "value": "[parameters('storageQueueLogAnalyticsWorkspaceId')]" + }, + "storageBlobDiagnostics": { + "value": "[parameters('storageBlobDiagnostics')]" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "value": "[parameters('storageBlobLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json new file mode 100644 index 00000000..0bcbfb6f --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapseDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapseLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSynapse": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Synapse')]" + }, + "policyAssignmentNames": { + "synapse": "Compliant-Synapse", + "description": "This policy initiative is a group of policies that ensures Synapse is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Synapse for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').synapse]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSynapse]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "synapseDefender": { + "value": "[parameters('synapseDefender')]" + }, + "synapseDiagnostics": { + "value": "[parameters('synapseDiagnostics')]" + }, + "synapseLogAnalyticsWorkspaceId": { + "value": "[parameters('synapseLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json new file mode 100644 index 00000000..c8c1480b --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json @@ -0,0 +1,126 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdAppGroupDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspaceDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAvd": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-AVD')]" + }, + "policyAssignmentNames": { + "avd": "Compliant-AVD", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Virtual Desktop for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').avd]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAvd]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "avdHostPoolPublicNetworkAccess": { + "value": "[parameters('avdHostPoolPublicNetworkAccess')]" + }, + "avdHostPoolModifyPublicNetworkAccess": { + "value": "[parameters('avdHostPoolModifyPublicNetworkAccess')]" + }, + "avdWorkspacePublicNetworkAccess": { + "value": "[parameters('avdWorkspacePublicNetworkAccess')]" + }, + "avdWorkspaceModifyPublicNetworkAccess": { + "value": "[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + }, + "avdAppGroupDiagnostics": { + "value": "[parameters('avdAppGroupDiagnostics')]" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "value": "[parameters('avdAppGroupLogAnalyticsWorkspaceId')]" + }, + "avdHostPoolDiagnostics": { + "value": "[parameters('avdHostPoolDiagnostics')]" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "value": "[parameters('avdHostPoolLogAnalyticsWorkspaceId')]" + }, + "avdWorkspaceDiagnostics": { + "value": "[parameters('avdWorkspaceDiagnostics')]" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "value": "[parameters('avdWorkspaceLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json new file mode 100644 index 00000000..fe66d68c --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json @@ -0,0 +1,55 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [] + } + }, + "variables": { + "policyDefinitions": { + "azureRegions": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Location')]" + }, + "policyAssignmentNames": { + "regions": "Deny-Azure-Regions", + "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", + "displayName": "Azure Regions for Azure services that are allowed per FSI compliance" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').regions]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').azureRegions]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json new file mode 100644 index 00000000..aff027aa --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [] + } + }, + "variables": { + "policyDefinitions": { + "azureRegions": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988" + }, + "policyAssignmentNames": { + "regions": "Deny-Azure-Rg-Regions", + "description": "This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements.", + "displayName": "Azure Regions for Resource Groups that are allowed per FSI compliance" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').regions]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').azureRegions]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json index 5ca8a3aa..fdf65084 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json @@ -60,6 +60,30 @@ ], "defaultValue": "Disabled" }, + "enableAscForCSPM": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForCosmosDb": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForSynapse": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, "enableAscForKeyVault": { "type": "string", "allowedValues": [ @@ -107,6 +131,9 @@ "DeployIfNotExists" ], "defaultValue": "Disabled" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -117,20 +144,19 @@ "azureSecurity": "Deploy-ASCDF-Config", "description": "Deploy Microsoft Defender for Cloud and Security Contacts", "displayName": "Deploy Microsoft Defender for Cloud configuration" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployAzureSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurity))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureSecurity]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -159,6 +185,15 @@ "enableAscForAppServices": { "value": "[parameters('enableAscForAppServices')]" }, + "enableAscForCosmosDb": { + "value": "[parameters('enableAscForCosmosDb')]" + }, + "enableAscForSynapse": { + "value": "[parameters('enableAscForSynapse')]" + }, + "enableAscForCSPM": { + "value": "[parameters('enableAscForCSPM')]" + }, "enableAscForStorage": { "value": "[parameters('enableAscForStorage')]" }, @@ -182,19 +217,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAzureSecurity]", - "dependsOn": [ - "[variables('policyAssignmentNames').azureSecurity]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json index 1c901070..a4d2dc74 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -21,6 +21,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -31,20 +34,19 @@ "azureActivityLog": "Deploy-AzActivity-Log", "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployAzureActivityLog": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureActivityLog]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -60,19 +62,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAzureActivityLog]", - "dependsOn": [ - "[variables('policyAssignmentNames').azureActivityLog]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json index e5d81bd0..4559b892 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json @@ -2,13 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Afo." - } - }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -16,6 +9,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -26,20 +22,19 @@ "defenderEndpoint": "Deploy-Defender", "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", "displayName": "Deploy Microsoft Defender for Endpoint agent" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployDefenderEndpoint": "[guid(concat(parameters('topLevelManagementGroupPrefix'), '-def', variables('policyAssignmentNames').defenderEndpoint))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').defenderEndpoint]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -48,19 +43,6 @@ "enforcementMode": "[parameters('enforcementMode')]", "parameters": {} } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployDefenderEndpoint]", - "dependsOn": [ - "[variables('policyAssignmentNames').defenderEndpoint]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').defenderEndpoint), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json index cccfafd1..24bfaedb 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -2,12 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -32,7 +26,8 @@ "type": "string", "metadata": { "description": "Provide the name for the Automation Account" - } + }, + "defaultValue": "" }, "workspaceRegion": { "type": "string", @@ -44,13 +39,17 @@ "type": "string", "metadata": { "description": "Select the region for the Automation Account" - } + }, + "defaultValue": "" }, "rgName": { "type": "string", "metadata": { "description": "Provide a name for the Resource Group to host Log Analytics and Azure Automation" } + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -61,20 +60,19 @@ "logAnalytics": "Deploy-Log-Analytics", "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.", "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring" - }, - "rbac": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "roleAssignmentNames": { - "deployLogAnalytics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').logAnalytics))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').loganalytics]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -102,19 +100,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployLogAnalytics]", - "dependsOn": [ - "[variables('policyAssignmentNames').loganalytics]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').loganalytics), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json index 2bcd30c9..dc0f8b79 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json @@ -38,6 +38,9 @@ "networkWatcherRg": { "type": "string", "defaultValue": "NetworkWatcherRg" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -48,20 +51,19 @@ "deployNsgFlowLogs": "Dine-Nsg-FlowLogs", "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period for a single Azure region. To use across additional regions, assign the policy per region.", "displayName": "Enforce NSG Flows are enabled to Storage and Log Analytics workspace" - }, - "roleDefinition": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "roleAssignmentNames": { - "deployNsgFlowLogs": "[guid(concat(parameters('toplevelManagementGroupPrefix'), deployment().name, variables('policyAssignmentNames').deployNsgFlowLogs))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployNsgFlowLogs]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -92,25 +94,7 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployNsgFlowLogs]", - "dependsOn": [ - "[variables('policyAssignmentNames').deployNsgFlowLogs]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('roleDefinition'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployNsgFlowLogs), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], - "outputs": { - "principalId": { - "type": "string", - "value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployNsgFlowLogs), '2019-09-01', 'Full').identity.principalId]" - } - } + "outputs": {} } \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json index f0e63923..b59a4a4e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json @@ -21,6 +21,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -31,20 +34,19 @@ "resourceDiagnostics": "Deploy-Resource-Diag", "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included", "displayName": "Deploy Diagnostic Settings to Azure Services" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployResourceRiagnostics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').resourceDiagnostics))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').resourceDiagnostics]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -57,19 +59,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployResourceRiagnostics]", - "dependsOn": [ - "[variables('policyAssignmentNames').resourceDiagnostics]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').resourceDiagnostics), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json index 8310a108..26f667fa 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json @@ -187,9 +187,39 @@ "apimSecrets": { "type": "string", "defaultValue": "Deny" + }, + "apimDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "apimLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "apimLogsCategory": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/567c93f7-3661-494f-a30f-0a94d9bfebf8", + "policyDefinitionReferenceId": "Dine-Apim-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('apimDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('apimLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('apimLogsCategory')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", "policyDefinitionReferenceId": "Deny-Apim-without-Kv", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json index 9f785124..baf93543 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json @@ -1,16 +1,543 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "Dublin" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "API App should only be accessible over HTTPS", + "policyType": "Custom", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "mode": "Indexed", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-ApiApp-Https" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "App Service" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-FunctionApp-Diagnostics" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service Web App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "App Service Web App" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + }, + "serverFarmId": { + "type": "String" + } + }, + "variables": { + "logs": { + "premiumTierLogs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ], + "otherTierLogs": [ + { + "category": "AppServiceHTTPLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": "[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]" + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + }, + "serverFarmId": { + "value": "[[field('Microsoft.Web/sites/serverFarmId')]" + } + } + } + } + } + } + } + }, + "name": "Dine-AppService-Diagnostics" + } + ] + } + }, "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, { "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "name": "Compliant-App-Services", + "name": "Compliant-App-Service", + "dependsOn": [ + "policyDefinitionCopy" + ], "properties": { "metadata": { - "version": "1.0.0", - "category": "App Service" + "version": "1.0.0", + "category": "App Service" }, "displayName": "Enforce secure-by-default App Service for Financial Services Industry", "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones", @@ -32,6 +559,18 @@ "category": "Identity Management", "displayName": "Ensure usage of centralized identity and auhtorization system for App Service", "description": "Policy to ensure App Service is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure App Service is logging all events to Log Analytics", + "description": "Policy to ensure App Service is logging all events to Log Analytics workspace" + }, + { + "name": "Posture", + "category": "Posture and Vulnerability Management", + "displayName": "", + "description": "" } ], "parameters": { @@ -47,6 +586,10 @@ "type": "string", "defaultValue": "Deny" }, + "functionAppsDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, "appServiceDisablePublicNetworkAccess": { "type": "string", "defaultValue": "Deny" @@ -67,6 +610,14 @@ "type": "string", "defaultValue": "Deny" }, + "appServiceAppsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "appServiceAppModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, "appServiceSkuPl": { "type": "string", "defaultValue": "Deny" @@ -98,9 +649,306 @@ "functionAppPublicNetworkAccess": { "type": "string", "defaultValue": "Deny" + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceRfc": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppsRfc": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppsVnetRouting": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceEnvLatestVersion": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppSlotsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "functionAppSlotsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "functionAppSlotsModifyHttps": { + "type": "string", + "defaultValue": "Modify" + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "apiAppHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "functionDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "functionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "appServiceDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]", + "policyDefinitionReferenceId": "Dine-AppService-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('appServiceLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Dine-Function-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('functionLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Api-Apps-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('apiAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", + "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", + "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", + "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "groupNames": [ + "Posture" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceEnvLatestVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", + "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsVnetRouting')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", + "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", + "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", "policyDefinitionReferenceId": "Deny-FuncApp-Public", @@ -112,7 +960,7 @@ "value": "[[parameters('functionAppPublicNetworkAccess')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", @@ -124,7 +972,7 @@ "value": "[[parameters('functionAppDebugging')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", "policyDefinitionReferenceId": "Deny-AppSlots-Public", @@ -148,7 +996,7 @@ "value": "[[parameters('functionAppHttps')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", @@ -160,7 +1008,7 @@ "value": "[[parameters('appServiceScmAuth')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", @@ -172,7 +1020,7 @@ "value": "[[parameters('functionAppSlotsHttps')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", "policyDefinitionReferenceId": "Deny-AppServ-Routing", @@ -184,7 +1032,7 @@ "value": "[[parameters('appServiceRouting')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", @@ -208,7 +1056,7 @@ "value": "[[parameters('appServiceSkuPl')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", "policyDefinitionReferenceId": "Deny-AppEnv-Public", @@ -220,7 +1068,7 @@ "value": "[[parameters('appEnvDisablePublicNetworkAccess')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", @@ -232,7 +1080,7 @@ "value": "[[parameters('appServiceDisableLocalAuth')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", "policyDefinitionReferenceId": "DINE-AppService-Debugging", @@ -244,12 +1092,13 @@ "value": "[[parameters('functionAppDebugging')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", "groupNames": [ - "Encryption" + "Encryption", + "Network" ], "parameters": { "effect": { @@ -281,6 +1130,18 @@ } } }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "policyDefinitionReferenceId": "Deny-FunctionApps-Public", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppsDisablePublicNetworkAccess')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", "policyDefinitionReferenceId": "Deny-AppService-Public", @@ -295,16 +1156,17 @@ }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", - "policyDefinitionReferenceId": "Deny-FunctionAppTls", + "policyDefinitionReferenceId": "Deny-FunctionApp-Tls", "groupNames": [ - "Encryption" + "Encryption", + "Network" ], "parameters": { "effect": { "value": "[[parameters('functionAppTls')]" } } - } + } ] } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json new file mode 100644 index 00000000..cab1f26a --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -0,0 +1,299 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Automation Account should have Managed Identity", + "mode": "Indexed", + "description": "Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code .", + "metadata": { + "version": "1.0.0", + "category": "Automation" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + { + "anyOf": [ + { + "field": "identity.type", + "exists": "false" + }, + { + "field": "identity.type", + "contains": "None" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AA-Managed-Identity" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Automation-Account", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Automation" + }, + "displayName": "Enforce secure-by-default Automation Account for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Automation Account", + "description": "Policy to ensure data protection for Automation Account" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Automation Account is not accessible over the public internet", + "description": "Policy to ensure Automation Account not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Automation Account", + "description": "Policy to ensure Automation Account is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Automation Account is logging all events to Log Analytics", + "description": "Policy to ensure Automation Account is logging all events to Log Analytics workspace" + }, + { + "name": "DevOps", + "category": "DevOps Security", + "displayName": "Ensure Automation Account is is using Git as source control", + "description": "Policy to ensure Automation Account is configured to use Git as source control" + } + ], + "parameters": { + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "aaCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "aaPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "autoHotPatch": { + "type": "string", + "defaultValue": "Deny" + }, + "aaDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "aaLogsCategory": { + "type": "string", + "defaultValue": "allLogs" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b797045a-b3cd-46e4-adc4-bbadb3381d78", + "policyDefinitionReferenceId": "Dine-AA-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('aaLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('aaLogsCategory')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", + "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('autoHotPatch')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "policyDefinitionReferenceId": "Deny-Aa-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json new file mode 100644 index 00000000..03cb9b66 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json @@ -0,0 +1,122 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + }, + "category": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + // This is the scope to the intermediate management group you should target the deployment to. + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + /* Provide the property bag for each policy definition in the policyDefinitions array. + { + "properties": {}, + "name": "Policy-Definition-Name" + } + */] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "[concat('Compliant-', parameters('category'))]", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "[parameters('category')]" + }, + "displayName": "[concat('Enforce secure-by-default ', parameters('category'), ' for Financial Services Industry')]", + "description": "[concat('This policy initiative is a group of policies that ensures ', parameters('category'), 'is compliant per FSI Landing Zones')]", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "[concat('Ensure ', parameters('category'), ' is using secure encryption')]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is using secure encryption')]" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "[concat('Ensure ', parameters('category'), ' is not accessible over the public internet')]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is not accessible over the public internet')]" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "[concat('Ensure usage of centralized identity and auhtorization system for ', parameters('category'))]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is not using local authorization')]" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "[concat('Ensure ', parameters('category'), ' is logging all events to Log Analytics')]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is logging all events to Log Analytics workspace')]" + } + ], + "parameters": { + "exampleParam": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + /* Example reference to custom policy declared in the variables. + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-FooBar-Example", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('exampleParam')]" + } + } + },*/ + { + "policyDefinitionId": "", + "policyDefinitionReferenceId": "", + "groupNames": [ + "" + ], + "parameters": { + "effect": { + "value": "[[parameters('')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json new file mode 100644 index 00000000..755717a6 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -0,0 +1,339 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Immutability must be enabled for backup vaults", + "mode": "Indexed", + "description": "This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.", + "metadata": { + "version": "1.0.0", + "category": "Backup" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabiltyOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckLockedImmutabiltyOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataProtection/backupvaults" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", + "notIn": [ + "Locked", + "UnLocked" + ] + }, + { + "allOf": [ + { + "value": "[[parameters('checkLockedImmutabiltyOnly')]", + "equals": true + }, + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", + "notEquals": "Locked" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Backup-Immutability" + }, + { + "properties": { + "displayName": "Soft delete should be enabled for Backup Vaults", + "mode": "Indexed", + "description": "This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete", + "metadata": { + "version": "1.0.0", + "category": "Backup" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkAlwaysOnSoftDeleteOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckAlwaysOnSoftDeleteOnly", + "description": "This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataProtection/backupvaults" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.softDeleteSettings.state", + "notIn": [ + "On", + "AlwaysOn" + ] + }, + { + "allOf": [ + { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]", + "equals": true + }, + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.softDeleteSettings.state", + "notEquals": "AlwaysOn" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Backup-Soft-Delete" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Backup", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Backup" + }, + "displayName": "Enforce secure-by-default Backup for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Backup is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Backup", + "description": "Policy to ensure data protection for Backup" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Backup is not accessible over the public internet", + "description": "Policy to ensure Backup not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Backup", + "description": "Policy to ensure Backup is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Backup is logging all events to Log Analytics", + "description": "Policy to ensure Backup is logging all events to Log Analytics workspace" + }, + { + "name": "Backup", + "category": "Backup and Recovery", + "displayName": "Ensure Backup is enabled and stored securely", + "description": "Policy to ensure Backup is enabled and stored securely" + } + ], + "parameters": { + "backupImmutability": { + "type": "string", + "defaultValue": "Deny" + }, + "backupCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "vmBackup": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "backupSoftDelete": { + "type": "string", + "defaultValue": "Deny" + }, + "asrPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "asrLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "policyDefinitionReferenceId": "Dine-Asr-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "logAnalytics": { + "value": "[[parameters('asrLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "policyDefinitionReferenceId": "Deny-Asr-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('asrPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Backup-Soft-Delete", + "groupNames": [ + "Encryption", + "Backup" + ], + "parameters": { + "effect": { + "value": "[[parameters('backupSoftDelete')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83644c87-93dd-49fe-bf9f-6aff8fd0834e", + "policyDefinitionReferenceId": "Dine-Vm-Backup", + "groupNames": [ + "Backup" + ], + "parameters": { + "effect": { + "value": "[[parameters('vmBackup')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "groupNames": [ + "Encryption", + "Backup" + ], + "parameters": { + "effect": { + "value": "[[parameters('backupCmk')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Backup-Immutability", + "groupNames": [ + "Encryption", + "Backup" + ], + "parameters": { + "effect": { + "value": "[[parameters('backupImmutability')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json new file mode 100644 index 00000000..ae2d0864 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json @@ -0,0 +1,198 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "Dublin" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Managed disks should disable public network access", + "mode": "Indexed", + "description": "Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc.", + "metadata": { + "version": "2.0.0", + "category": "Compute" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/networkAccessPolicy", + "notIn": [ + "DenyAll", + "AllowPrivate" + ] + }, + { + "field": "Microsoft.Compute/disks/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Disk-Public-Endpoint" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Compute", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Compute" + }, + "displayName": "Enforce secure-by-default Compute for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Compute is not accessible over the public internet", + "description": "Policy to ensure Compute is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Compute", + "description": "Policy to ensure Compute is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Compute is logging all events to Log Analytics", + "description": "Policy to ensure Compute is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "diskDoubleEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "managedDiskPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "vmAndVmssEncryptionHost": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('vmAndVmssEncryptionHost')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('osAndDataDiskCmk')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('managedDiskPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('diskDoubleEncryption')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json new file mode 100644 index 00000000..117984ba --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json @@ -0,0 +1,164 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-ContainerApps", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Container Apps" + }, + "displayName": "Enforce secure-by-default Container Apps for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Container Apps is not accessible over the public internet", + "description": "Policy to ensure Container Apps is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Container Apps", + "description": "Policy to ensure Container Apps is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Container Apps is logging all events to Log Analytics", + "description": "Policy to ensure Container Apps is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "containerAppsPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsEnvPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsVnetInjection": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", + "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsVnetInjection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "policyDefinitionReferenceId": "Deny-ContainerAppsEnv-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsEnvPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", + "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json new file mode 100644 index 00000000..fd99fc66 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json @@ -0,0 +1,116 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-ContainerInstance", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Container Instance" + }, + "displayName": "Enforce secure-by-default Container Instance for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Container Instance is not accessible over the public internet", + "description": "Policy to ensure Container Instance is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Container Instance", + "description": "Policy to ensure Container Instance is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Container Instance is logging all events to Log Analytics", + "description": "Policy to ensure Container Instance is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "containerInstanceVnet": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceCmk')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json new file mode 100644 index 00000000..bcdad327 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json @@ -0,0 +1,337 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-ContainerRegistry", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Container Registry" + }, + "displayName": "Enforce secure-by-default Container Registry for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Container Registry is not accessible over the public internet", + "description": "Policy to ensure Container Registry is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Container Registry", + "description": "Policy to ensure Container Registry is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Container Registry is logging all events to Log Analytics", + "description": "Policy to ensure Container Registry is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "containerRegistryUnrestrictedNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryRepositoryToken": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyRepositoryToken": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryExports": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryAnAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyAnAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistrySkuPrivateLink": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryArmAudience": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyArmAudience": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryLogCategories": { + "type": "string", + "defaultValue": "allLogs" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56288eb2-4350-461d-9ece-2bb242269dce", + "policyDefinitionReferenceId": "Dine-Diagnostics-CR", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('containerRegistryLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('containerRegistryLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistrySkuPrivateLink')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryExports')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json new file mode 100644 index 00000000..1e10774e --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json @@ -0,0 +1,947 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Configure a private DNS Zone ID for sqlServer groupID", + "mode": "Indexed", + "description": "Configure private DNS zone group to override the DNS resolution for a sqlServer groupID private endpoint.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Configure a private DNS Zone ID for sqlServer groupID", + "description": "Configure private DNS zone group to override the DNS resolution for a sqlServer groupID private endpoint.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "Microsoft.Sql/servers" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "sqlServer" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/privateDnsZoneConfigs[*].privateDnsZoneId", + "equals": "[[parameters('privateDnsZoneId')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + }, + "name": "DINE-SQL-Dns" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Corp-Lz", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Corp Connected Landing Zones" + }, + "displayName": "Enforce secure-by-default Corp Connected Landing Zones for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Corp Connected Landing Zones are compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure Storage Account is using secure encryption", + "description": "Policy to ensure Storage Account is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Storage Account is not accessible over the public internet", + "description": "Policy to ensure Storage Account is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Storage Account", + "description": "Policy to ensure Storage Account is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Storage Account is logging all events to Log Analytics", + "description": "Policy to ensure Storage Account is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "storageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileSyncPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageFileSyncPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "appServiceAppsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "DSCAndHybridWorker" + }, + "asrPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "asrPrivateDnsZone-Backup": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Blob": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Queue": { + "type": "string", + "defaultValue": "" + }, + "diskPrivateDns": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "diskPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "adfPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventHubNamespacesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cognitiveServicesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusDinePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "sqlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "connection" + }, + "avdWorkspacePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspacePrivateEndpointGroupId": { + "type": "string", + "defaultValue": "feed" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "policyDefinitionReferenceId": "Dine-Workspace-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('avdWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('avdWorkspacePrivateEndpointGroupId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "policyDefinitionReferenceId": "Dine-Hostpool-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostpoolPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('avdHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('avdHostpoolPrivateEndpointGroupId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "DINE-SQL-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('sqlPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "policyDefinitionReferenceId": "Dine-Synapse-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapsePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('synapsePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "policyDefinitionReferenceId": "DINE-Sb-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDinePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('serviceBusPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policyDefinitionReferenceId": "Dine-Cognitive-Services-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('cognitiveServicesPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policyDefinitionReferenceId": "Dine-ML-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('mlPrivateDnsZoneId')]" + }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('mlSecondPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "policyDefinitionReferenceId": "DINE-KV-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('keyVaultPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policyDefinitionReferenceId": "Dine-EH-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventHubNamespacesPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policyDefinitionReferenceId": "Dine-EventGrid-Topic-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventGridTopicPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policyDefinitionReferenceId": "Dine-EventGrid-Domain-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventGridDomainPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "policyDefinitionReferenceId": "Dine-Adf-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('adfPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policyDefinitionReferenceId": "Dine-ContainerRegistry-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('containerRegistryPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "policyDefinitionReferenceId": "Dine-CosmosDb-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbPrivateDnsZone')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('cosmosDbPrivateEndpointGroupId')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('cosmosDbPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policyDefinitionReferenceId": "Dine-Disk-Private-DNS", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('diskPrivateDns')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('diskPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "policyDefinitionReferenceId": "Dine-Asr-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('asrPrivateDnsZone')]" + }, + "privateDnsZone-Backup": { + "value": "[[parameters('asrPrivateDnsZone-Backup')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('asrPrivateDnsZone-Blob')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('asrPrivateDnsZone-Queue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "policyDefinitionReferenceId": "Dine-Aa-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('aaPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('aaPrivateEndpointGroupId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('appServiceAppsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "policyDefinitionReferenceId": "Dine-Storage-Blob-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageBlobPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageBlobPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryBlob-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryBlobPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryBlobPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "policyDefinitionReferenceId": "Dine-Storage-Dfs-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageDfsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageDfsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryDfs-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryDfsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryDfsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "policyDefinitionReferenceId": "Dine-Storage-Queue-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageQueuePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageQueuePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryQueue-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryQueuePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryQueuePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "policyDefinitionReferenceId": "Dine-Storage-Web-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageWebPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageWebPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryWeb-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryWebPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryWebPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "policyDefinitionReferenceId": "Dine-Storage-FileGroupId-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageFileDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageFileDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "policyDefinitionReferenceId": "Dine-Table-Storage-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageTablePrivateDnsZone')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "policyDefinitionReferenceId": "Dine-SecondaryTable-Storage-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageSecondaryTablePrivateDnsZone')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "policyDefinitionReferenceId": "Dine-Storage-File-Sync-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageFileSyncPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageFileSyncPrivateDnsZone')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json new file mode 100644 index 00000000..75157525 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json @@ -0,0 +1,388 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-CosmosDb" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-CosmosDb", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB" + }, + "displayName": "Enforce secure-by-default Cosmos DB for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Cosmos DB", + "description": "Policy to ensure data protection for Cosmos DB" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Cosmos DB is not accessible over the public internet", + "description": "Policy to ensure Cosmos DB not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Cosmos DB", + "description": "Policy to ensure Cosmos DB is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Cosmos DB is logging all events to Log Analytics", + "description": "Policy to ensure Cosmos DB is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "cosmosDbCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbPublicAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbAtp": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "cosmosDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-CosmosDb", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('cosmosLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", + "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbAtp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "policyDefinitionReferenceId": "Deny-CosmosDb-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbPublicAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "groupNames": [ + "Encryption" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "policyDefinitionReferenceId": "Deny-CosmosDb-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbCmk')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json new file mode 100644 index 00000000..77a4ee45 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json @@ -0,0 +1,364 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-ADE" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Data-Explorer", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer" + }, + "displayName": "Enforce secure-by-default Data Explorer for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure Data Explorer is using secure encryption", + "description": "Policy to ensure Data Explorer is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Data Explorer is not accessible over the public internet", + "description": "Policy to ensure Data Explorer is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Data Explorer", + "description": "Policy to ensure Data Explorer is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Data Explorer is logging all events to Log Analytics", + "description": "Policy to ensure Data Explorer is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "adeCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "adeEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "adeDoubleEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "adeModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "adePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "adeSku": { + "type": "string", + "defaultValue": "Deny" + }, + "adeDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adeLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-ADE", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('adeLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", + "policyDefinitionReferenceId": "Deny-ADE-Sku-without-PL-Support", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeSku')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", + "policyDefinitionReferenceId": "Deny-ADE-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", + "policyDefinitionReferenceId": "Modify-ADE-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "policyDefinitionReferenceId": "Deny-ADE-Double-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "policyDefinitionReferenceId": "Deny-ADE-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "policyDefinitionReferenceId": "Deny-ADE-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeCmk')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json new file mode 100644 index 00000000..092e9696 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json @@ -0,0 +1,386 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Data Factory" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-DataFactory" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-DataFactory", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Data Factory" + }, + "displayName": "Enforce secure-by-default Data Factory for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Data Factory", + "description": "Policy to ensure data protection for Data Factory" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Data Factory is not accessible over the public internet", + "description": "Policy to ensure Data Factory not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Data Factory", + "description": "Policy to ensure Data Factory is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Data Factory is logging all events to Log Analytics", + "description": "Policy to ensure Data Factory is logging all events to Log Analytics workspace" + }, + { + "name": "DevOps", + "category": "DevOps Security", + "displayName": "Ensure Data Factory is is using Git as source control", + "description": "Policy to ensure Data Factory is configured to use Git as source control" + } + ], + "parameters": { + "adfSqlIntegration": { + "type": "string", + "defaultValue": "Deny" + }, + "adfModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "adfLinkedServiceKeyVault": { + "type": "string", + "defaultValue": "Deny" + }, + "adfPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "adfGit": { + "type": "string", + "defaultValue": "Deny" + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "adfDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-DataFactory", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('adfLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", + "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", + "policyDefinitionReferenceId": "Deny-Adf-Git", + "groupNames": [ + "DevOps" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfGit')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", + "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", + "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfLinkedServiceKeyVault')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", + "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", + "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfSqlIntegration')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json new file mode 100644 index 00000000..f0de5eb4 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json @@ -0,0 +1,339 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Event-Grid", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Event Grid" + }, + "displayName": "Enforce secure-by-default Event Grid for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Event Grid", + "description": "Policy to ensure data protection for Event Grid" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Event Grid is not accessible over the public internet", + "description": "Policy to ensure Event Grid not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Event Grid", + "description": "Policy to ensure Event Grid is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Event Grid is logging all events to Log Analytics", + "description": "Policy to ensure Event Grid is logging all events to Log Analytics workspace" + }, + { + "name": "Backup", + "category": "Backup and Recovery", + "displayName": "Ensure Backup is enabled and stored securely", + "description": "Policy to ensure Backup is enabled and stored securely" + } + ], + "parameters": { + "eventGridPubclicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridParnerNamespaceLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridParnerNamespaceModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridTopicPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridTopicLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridTopicModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridDomainModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridDomainModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridTopicModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridPartnerDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridPartnerLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "eventGridTopicDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "eventGridDomainDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainLogCategories": { + "type": "string", + "defaultValue": "allLogs" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b90ec596-faa6-4c61-9515-34085703e260", + "policyDefinitionReferenceId": "Dine-Diagnostics-EventGrid-Domain", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventGridDomainLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('eventGridDomainLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46b2dd5d-3936-4347-8908-b298ea4466d3", + "policyDefinitionReferenceId": "Dine-Diagnostics-EventGrid-Topic", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventGridTopicLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('eventGridTopicLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3496f6fd-57ba-485c-8a14-183c4493b781", + "policyDefinitionReferenceId": "Dine-Diagnostics-EventGrid-Partner", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventGridPartnerLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('eventGridPartnerLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", + "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridParnerNamespaceModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", + "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridParnerNamespaceLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", + "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", + "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPubclicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json new file mode 100644 index 00000000..3632f24d --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json @@ -0,0 +1,252 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Event Hub namespaces should use a customer-managed key for encryption", + "mode": "Indexed", + "description": "Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/clusterArmId", + "exists": "true" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-EH-Cmk" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Event-Hub", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Event Hub" + }, + "displayName": "Enforce secure-by-default Event Hub for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Event Hub is not accessible over the public internet", + "description": "Policy to ensure Event Hub is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Event Hub", + "description": "Policy to ensure Event Hub is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Event Hub is logging all events to Log Analytics", + "description": "Policy to ensure Event Hub is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "eventHubAuthRules": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventHubNamespacesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesDoubleEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "policyDefinitionReferenceId": "Dine-Diagnostics-EH", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventHubLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", + "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", + "policyDefinitionReferenceId": "Dine-EH-Local-Auth", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", + "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", + "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", + "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubAuthRules')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json index 2e203615..4b51cb18 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json @@ -12,56 +12,6 @@ // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ - { - "properties": { - "displayName": "Service Bus Premium namespaces must use a customer-managed key for encryption", - "mode": "Indexed", - "description": "Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.", - "metadata": { - "version": "1.0.0", - "category": "Service Bus" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Deny", - "Audit", - "Disabled" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.ServiceBus/namespaces" - }, - { - "field": "Microsoft.ServiceBus/namespaces/sku.tier", - "equals": "Premium" - }, - { - "not": { - "field": "Microsoft.ServiceBus/namespaces/encryption.keySource", - "equals": "Microsoft.Keyvault" - } - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-ServiceBus-CMK" - } ] } }, @@ -161,14 +111,6 @@ "type": "string", "defaultValue": "" }, - "keyVaultPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "keyVaultPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "keyVaultCertificatesPeriod": { "type": "string", "defaultValue": "Deny" @@ -204,9 +146,250 @@ "secretsValidityInDays": { "type": "integer", "defaultValue": 90 + }, + "keyVaultFw": { + "type": "string", + "defaultValue": "Deny" + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny" + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny" + }, + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify" + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny" + }, + "keysExpiration": { + "type": "string", + "defaultValue": "Deny" + }, + "keysExpirationInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysActive": { + "type": "string", + "defaultValue": "Deny" + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny" + }, + "secretsExpiration": { + "type": "string", + "defaultValue": "Deny" + }, + "secretsMoreInDays": { + "type": "integer", + "defaultValue": 10 + }, + "secretsMaxValiditity": { + "type": "string", + "defaultValue": "Deny" + }, + "secretsMaxValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Deny" + }, + "hsmDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "hsmLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "hsmLogCategories": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b88bfd90-4da5-43eb-936f-ae1481924291", + "policyDefinitionReferenceId": "Dine-Diagnostics-Hsm", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('hsmDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('hsmLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('hsmLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "policyDefinitionReferenceId": "Deny-KV-Secret-AvticeDays", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "policyDefinitionReferenceId": "Deny-KV-Secret-MaxDays", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('secretsMaxValiditity')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('secretsMaxValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "policyDefinitionReferenceId": "Deny-KV-Secret-MinDays", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('secretsExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('secretsMoreInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "policyDefinitionReferenceId": "Deny-KV-Key-Expiration", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keysExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keysExpirationInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "policyDefinitionReferenceId": "Modify-KV-Fw", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "policyDefinitionReferenceId": "Deny-KV-Fws", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultFw')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", @@ -299,22 +482,7 @@ "value": "[[parameters('keyVaultHmsPurgeProtection')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", - "policyDefinitionReferenceId": "DINE-KV-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('keyVaultPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('keyVaultPrivateDnsZoneId')]" - } - } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951af2fa-529b-416e-ab6e-066fd85ac459", "policyDefinitionReferenceId": "DINE-KV-Logs", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json new file mode 100644 index 00000000..8c7fa541 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json @@ -0,0 +1,517 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Azure Kubernetes Clusters should enable Key Management Service (KMS)", + "mode": "Indexed", + "description": "Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption.", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "identity.type", + "notEquals": "SystemAssigned" + }, + { + "field": "Microsoft.ContainerService/managedClusters/securityProfile.azureKeyVaultKms.enabled", + "notEquals": true + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Aks-CSI" + }, + { + "properties": { + "displayName": "Azure Kubernetes Clusters should use Azure CNI", + "mode": "Indexed", + "description": "Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni", + "metadata": { + "version": "1.0.1", + "category": "Kubernetes" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin", + "notEquals": "azure" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Aks-Cni" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Kubernetes", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Kubernetes" + }, + "displayName": "Enforce secure-by-default Kubernetes for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Kubernetes is not accessible over the public internet", + "description": "Policy to ensure Kubernetes is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Kubernetes", + "description": "Policy to ensure Kubernetes is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Kubernetes is logging all events to Log Analytics", + "description": "Policy to ensure Kubernetes is logging all events to Log Analytics workspace" + }, + { + "name": "Governance", + "category": "Governance and Strategy", + "displayName": "Ensure Kubernetes is integrated with Azure Resource Manager to be governed by Azure Policy", + "description": "Policy to ensure Kubernetes is integrated with Azure Resource Manager to be governed by Azure Policy" + } + ], + "parameters": { + "aksKms": { + "type": "string", + "defaultValue": "Deny" + }, + "aksCni": { + "type": "string", + "defaultValue": "Deny" + }, + "aksLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPrivateCluster": { + "type": "string", + "defaultValue": "Deny" + }, + "aksDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "type": "string", + "defaultValue": "" + }, + "aksOsAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPolicy": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksCommandInvoke": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksReadinessOrLivenessProbes": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPrivContainers": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPrivEscalation": { + "type": "string", + "defaultValue": "Deny" + }, + "aksAllowedCapabilities": { + "type": "string", + "defaultValue": "Deny" + }, + "aksTempDisk": { + "type": "string", + "defaultValue": "Deny" + }, + "aksInternalLb": { + "type": "string", + "defaultValue": "Deny" + }, + "aksHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "aksDefaultNamespace": { + "type": "string", + "defaultValue": "Deny" + }, + "aksNakedPods": { + "type": "string", + "defaultValue": "Deny" + }, + "aksShareHostProcessAndNamespace": { + "type": "string", + "defaultValue": "Deny" + }, + "aksWindowsContainerAdministrator": { + "type": "string", + "defaultValue": "Deny" + }, + "aksDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "policyDefinitionReferenceId": "Dine-Diagnostics-Aks", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('aksLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", + "policyDefinitionReferenceId": "Deny-Aks-Windows-Conatiner-Administrator", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksWindowsContainerAdministrator')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksShareHostProcessAndNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", + "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksNakedPods')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksDefaultNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policyDefinitionReferenceId": "Deny-Aks-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", + "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksInternalLb')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksTempDisk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "groupNames": [ + "Governance" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksAllowedCapabilities')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivEscalation')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivContainers')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksReadinessOrLivenessProbes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", + "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksCommandInvoke')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "policyDefinitionReferenceId": "Dine-Aks-Policy", + "groupNames": [ + "Governance" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPolicy')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "policyDefinitionReferenceId": "Deny-Aks-OsAnDataDisk-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksOsAndDataDiskCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "policyDefinitionReferenceId": "Dine-Aks-Defender", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksDefender')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('aksDefenderLogAnalyticsWorkspaceResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivateCluster')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Aks-Kms", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksKms')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Aks-Cni", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksCni')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json new file mode 100644 index 00000000..4e8e8ba2 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json @@ -0,0 +1,274 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Audit/Deny Azure Machine Learning Compute Instances with an outdated operating system", + "mode": "All", + "description": "Compute instances are non-compliant if the instance has an outdated operating system version. For more information, visit http://aka.ms/azureml-ci-updates/.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effects": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "ComputeInstance" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/osImageMetadata.isLatestOsImageVersion", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effects')]" + } + } + }, + "name": "Deny-ML-Outdated-OS" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Machine-Learning", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "displayName": "Enforce secure-by-default Machine Learning for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Machine Learning is not accessible over the public internet", + "description": "Policy to ensure Machine Learning is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Machine Learning", + "description": "Policy to ensure Machine Learning is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Machine Learning is logging all events to Log Analytics", + "description": "Policy to ensure Machine Learning is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "mlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "mlModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "mlUserAssignedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "mlModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "mlLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "mlOutdatedOS": { + "type": "string", + "defaultValue": "Deny" + }, + "mlCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "mlDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "mlLogCategories": { + "type": "string", + "defaultValue": "allLogs" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90c90eda-bfe7-4c67-bf26-410420ed1047", + "policyDefinitionReferenceId": "Dine-Diagnostics-Ml", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('mlLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('mlLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "policyDefinitionReferenceId": "Deny-ML-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlCmk')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effects": { + "value": "[[parameters('mlOutdatedOS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", + "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", + "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", + "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlUserAssignedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "policyDefinitionReferenceId": "Deny-ML-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json new file mode 100644 index 00000000..bed49933 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json @@ -0,0 +1,211 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Enforce SSL connection should be enabled for MySQL database servers", + "mode": "Indexed", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "MySQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "true" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MySql-SSL-Connection" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-MySQL", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "MySql" + }, + "displayName": "Enforce secure-by-default MySQL for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure MySQL is using secure encryption", + "description": "Policy to ensure MySQL is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure MySQL is not accessible over the public internet", + "description": "Policy to ensure MySQL is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for MySQL", + "description": "Policy to ensure MySQL is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure MySQL is logging all events to Log Analytics", + "description": "Policy to ensure MySQL is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "mySqlInfraEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mySqlFlexiblePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "mySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "mySqlSsl": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-MySql-Ssl", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlSsl')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "policyDefinitionReferenceId": "Deny-MySql-Flex-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlFlexiblePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlInfraEncryption')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json new file mode 100644 index 00000000..b8a9cb25 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -0,0 +1,2068 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "Description": "This policy prevents creation of subnets without a UDR attached to them.", + "DisplayName": "Prevent creation of subnets without Route Table", + "Metadata": { + "category": "Network", + "version": "1.0.0" + }, + "Mode": "All", + "Parameters": { + "effect": { + "type": "String", + "metadata": { + "description": "The effect of the policy", + "displayName": "Effect" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "PolicyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks/subnets", + "field": "type" + }, + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id" + }, + { + "field": "name", + "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" + ] + } + ] + }, + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" + ] + } + ] + } + }, + "notEquals": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Subnet-Without-UDR" + }, + { + "properties": { + "Description": "This policy prevents creation of subnets without an NSG attached to them.", + "DisplayName": "Prevent creation of subnets without NSG", + "Metadata": { + "category": "Network", + "version": "1.0.0" + }, + "Mode": "All", + "Parameters": { + "effect": { + "type": "String", + "metadata": { + "description": "The effect of the policy", + "displayName": "Effect" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "PolicyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks/subnets", + "field": "type" + }, + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id" + }, + { + "field": "name", + "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + }, + { + "equals": 0, + "value": "[[length(field('Microsoft.Network/virtualNetworks/subnets/privateEndpoints[*]'))]" + } + ] + }, + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + }, + { + "equals": 0, + "value": "[[length(field('Microsoft.Network/virtualNetworks/subnets[*].privateEndpoints[*]'))]" + } + ] + } + }, + "notEquals": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Subnet-Without-NSG" + }, + { + "properties": { + "displayName": "Prevent NSG rule changes that allow all inbound traffic", + "description": "Prevent the creation of network security group rules that allow all inbound traffic", + "mode": "All", + "metadata": { + "category": "Network", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "in": [ + "*", + "Internet" + ] + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notIn": [ + "*", + "Internet" + ] + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Inbound-Internet-All" + }, + { + "properties": { + "mode": "All", + "displayname": "Deny or Audit service endpoints on subnets", + "policyType": "Custom", + "description": "This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.", + "metadata": { + "category": "Network", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]", + "where": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", + "exists": true + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Service-Endpoints" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-LoadBalancer" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-FrontDoor" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-TrafficManager" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-Vnet" + }, + { + "properties": { + "displayName": "RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-RDP-From-Internet" + }, + { + "properties": { + "displayName": "SSH access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows SSH access from Internet", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "22" + }, + { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "22" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-SSH-From-Internet" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-ExpressRouteCircuit" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Network", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "displayName": "Enforce secure-by-default Network and Networking services for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure Network is using secure encryption", + "description": "Policy to ensure API Network is using secure protocols" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Network is not accessible over the public internet", + "description": "Policy to ensure Network is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for API Network", + "description": "Policy to ensure Network is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Networking services are logging all events to Log Analytics", + "description": "Policy to ensure Networking services are logging all events to Log Analytics workspace" + } + ], + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny" + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny" + }, + "denyInboundInternet": { + "type": "string", + "defaultValue": "Deny" + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny" + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny" + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "nsgDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "nsgLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny" + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny" + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny" + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "lbDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "fdDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "tmDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "vnetDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "denyRdpFromInternet": { + "type": "string", + "defaultValue": "Deny" + }, + "denySshFromInternet": { + "type": "string", + "defaultValue": "Deny" + }, + "erDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "bastionDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "bastionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "bastionLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "fdCdnDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "fdCdnLogAnalyticsWorkpaceId": { + "type": "string", + "defaultValue": "" + }, + "fdCdnLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "pipDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "pipLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "pipLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "gwDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "gwLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "gwLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "p2sDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "p2sLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "p2sLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "afwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny" + }, + "afwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny" + }, + "afwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny" + }, + "afwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny" + }, + "afwEnableIDPS": { + "type": "string", + "defaultValue": "Deny" + }, + "wafAfdEnabled": { + "type": "string", + "defaultValue": "Deny" + }, + "vpnAzureAD": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "groupNames": [ + "Network" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('vpnAzureAD')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafAfdEnabled')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableIDPS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('afwEmptyIDPSBypassList')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableTlsInspection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cac9e1c5-c3cb-47fa-8d4c-88b8559262d2", + "policyDefinitionReferenceId": "Dine-Diagnostics-P2S", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('p2sDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('p2sLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('p2sLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed6ae75a-828f-4fea-88fd-dead1145f1dd", + "policyDefinitionReferenceId": "Dine-Diagnostics-Gw", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('gwDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('gwLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('gwLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1513498c-3091-461a-b321-e9b433218d28", + "policyDefinitionReferenceId": "Dine-Diagnostics-Pip", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('pipDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('pipLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('pipLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b", + "policyDefinitionReferenceId": "Dine-Diagnostics-FdCdn", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('fdCdnDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('fdCdnLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('fdCdnLogAnalyticsWorkpaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8352124-56fa-4f94-9441-425109cdc14b", + "policyDefinitionReferenceId": "Dine-Diagnostics-Bastion", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('bastionDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('bastionLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('bastionLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "policyDefinitionReferenceId": "Deny-Waf-mode", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98a2e215-5382-489e-bd29-32e7190a39ba", + "policyDefinitionReferenceId": "Dine-Nsg-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('nsgDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('nsgLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]", + "policyDefinitionReferenceId": "Deny-Inbound-Internet-All", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('denyInboundInternet')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[3].name)]", + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[4].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-LoadBalancer", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('lbDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('lbDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[5].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-FrontDoor", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('fdDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('fdDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[6].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-TrafficManager", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('tmDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('tmDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[7].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-Vnet", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('vnetDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('vnetDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[8].name)]", + "policyDefinitionReferenceId": "Deny-Rdp-From-Internet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('denyRdpFromInternet')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[9].name)]", + "policyDefinitionReferenceId": "Deny-Ssh-From-Internet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('denySshFromInternet')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[10].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-ExpressRoute", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('erDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('erDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json new file mode 100644 index 00000000..84bd90b3 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json @@ -0,0 +1,351 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Outbound network access should be restricted for Cognitive Services", + "mode": "Indexed", + "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess" + }, + { + "properties": { + "displayName": "Network ACLs should be restricted for Cognitive Services", + "mode": "Indexed", + "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-CognitiveServices-NetworkAcls" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-OpenAi", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services" + }, + "displayName": "Enforce secure-by-default Open AI (Cognitive Service) for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Open AI (Cognitive Service)", + "description": "Policy to ensure data protection for Open AI (Cognitive Service)" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Open AI (Cognitive Service) is not accessible over the public internet", + "description": "Policy to ensure Open AI (Cognitive Service) not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Open AI (Cognitive Service)", + "description": "Policy to ensure Open AI (Cognitive Service) is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Open AI (Cognitive Service) is logging all events to Log Analytics", + "description": "Policy to ensure Open AI (Cognitive Service) is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "cognitiveServicesNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "cognitiveServicesModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "cognitiveServicesDisableLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesOutboundNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesNetworkAcls": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAcls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-CMK", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json new file mode 100644 index 00000000..343c8f36 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json @@ -0,0 +1,424 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "mode": "Indexed", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "true" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-PostgreSql-SSL-Connection" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL (server and flexible server) to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL (server and flexible) to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "2.0.0", + "category": "PostgreSQL" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "resourceType": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "condition": "[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]", + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]", + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "resourceType": { + "value": "[[field('type')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-PostgreSQL" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-PostgreSQL", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "displayName": "Enforce secure-by-default PostgreSQL for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure PostgreSQL is using secure encryption", + "description": "Policy to ensure PostgreSQL is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure PostgreSQL is not accessible over the public internet", + "description": "Policy to ensure PostgreSQL is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for PostgreSQL", + "description": "Policy to ensure PostgreSQL is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure PostgreSQL is logging all events to Log Analytics", + "description": "Policy to ensure PostgreSQL is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "postgreSqlFlexiblePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "postgreSqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "postgreSqlSsl": { + "type": "string", + "defaultValue": "Deny" + }, + "postgreSqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "postgreDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "postgreLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "groupNames": [ + "Logging", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-PostgreSql-Ssl", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlSsl')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-Postgre", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('postgreLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "policyDefinitionReferenceId": "Deny-PostgreSql-Flexible-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlFlexiblePublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json index 3aeb5098..8c866206 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json @@ -9,58 +9,109 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { "properties": { - "displayName": "Private endpoint connections on Azure SQL Database should be enabled", - "mode": "Indexed", - "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", - "metadata": { - "version": "1.0.0", - "category": "SQL" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Sql/servers" - }, - { - "count": { - "field": "Microsoft.Sql/servers/privateEndpointConnections[*]", - "where": { - "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status", - "equals": "Approved" - } - }, - "less": 1 - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, + "displayName": "Private endpoint connections on Azure SQL Database should be enabled", + "mode": "Indexed", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "count": { + "field": "Microsoft.Sql/servers/privateEndpointConnections[*]", + "where": { + "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status", + "equals": "Approved" + } + }, + "less": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, "name": "Deny-Sql-Db-Public-Endpoint" + }, + { + "properties": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "mode": "Indexed", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", + "metadata": { + "version": "1.0.1", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": false + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notEquals": "1.2" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Sql-Managed-Tls-Version" } ] } @@ -96,20 +147,20 @@ "version": "1.0.0", "category": "SQL" }, - "displayName": "Enforce secure-by-default SQL for Financial Services Industry", - "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default SQL and SQL Managed Instance for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per FSI Landing Zones", "policyDefinitionGroups": [ { "name": "Encryption", "category": "Data Protection", "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", - "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + "description": "Policy to ensure data protection for SQL and SQL Managed Instance" }, { "name": "Network", "category": "Network Security", - "displayName": "Ensure SQL is not accessible over the public internet", - "description": "Policy to ensure SQL is not accessible over the public internet" + "displayName": "Ensure SQL and SQL Managed Instance is not accessible over the public internet", + "description": "Policy to ensure SQL and SQL Managed Instance is not accessible over the public internet" }, { "name": "Identity", @@ -120,8 +171,8 @@ { "name": "Logging", "category": "Logging and Threat Detection", - "displayName": "Ensure SQL is logging all events to Log Analytics", - "description": "Policy to ensure SQL is logging all events to Log Analytics workspace" + "displayName": "Ensure SQL and SQL Managed Instance is logging all events to Log Analytics", + "description": "Policy to ensure SQL and SQL Managed Instance is logging all events to Log Analytics workspace" } ], "parameters": { @@ -148,9 +199,176 @@ "sqlDbTls": { "type": "string", "defaultValue": "Deny" + }, + "sqlManagedAadOnly": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlTde": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlManagedPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlAadOnly": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlDbServerDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlDbAllDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, - "policyDefinitions": [ + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "policyDefinitionReferenceId": "Dine-Diagnostics-SqlDbServerAll", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbAllDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('sqlDbAllLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ea8a143-05e3-4553-abfe-f56bef8b0b70", + "policyDefinitionReferenceId": "Dine-Diagnostics-SqlDbServer", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbServerDiagnostics')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[[parameters('sqlDbServerLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", + "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlAadOnly')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "policyDefinitionReferenceId": "Dine-Sql-Tde", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlTde')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedAadOnly')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "policyDefinitionReferenceId": "Dine-Sql-Defender", + "groupNames": [ + "Encryption", + "Logging" + ], + "parameters": {} + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", @@ -222,7 +440,7 @@ "value": "[[parameters('modifySqlPublicNetworkAccess')]" } } - } + } ] } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json index 9339fdd3..5cea59a6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json @@ -96,7 +96,7 @@ "category": "Service Bus" }, "displayName": "Enforce secure-by-default Service Bus for Financial Services Industry", - "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per FSI Landing Zones", "policyDefinitionGroups": [ { "name": "Encryption", @@ -140,14 +140,6 @@ "type": "string", "defaultValue": "Deny" }, - "serviceBusPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "serviceBusDinePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "serviceBusDenyCmk": { "type": "string", "defaultValue": "Deny" @@ -163,12 +155,28 @@ "profileName": { "type": "string", "defaultValue": "setByPolicy" + }, + "serviceBusAuthzRules": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusAuthzRules')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", - "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionReferenceId": "Dine-Sb-Diagnostics", "groupNames": [ "Logging" ], @@ -196,21 +204,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", - "policyDefinitionReferenceId": "DINE-Sb-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('serviceBusDinePrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('serviceBusPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", "policyDefinitionReferenceId": "Deny-Sb-Encryption", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json index d2e138a5..33f42bbc 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json @@ -82,7 +82,7 @@ { "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "name": "Compliant-Storage-Account", + "name": "Compliant-Storage", "dependsOn": [ "policyDefinitionCopy" ], @@ -120,26 +120,10 @@ } ], "parameters": { - "storagePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storagePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "storageKeysExipiration": { "type": "string", "defaultValue": "Deny" }, - "storageFileSyncPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageFileSyncPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "modifyStorageFileSyncPublicEndpoint": { "type": "string", "defaultValue": "Modify" @@ -204,26 +188,10 @@ "type": "string", "defaultValue": "" }, - "storageFileDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageFileDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "storageAccountsCmk": { "type": "string", "defaultValue": "Deny" }, - "storageBlobPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageBlobPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "storageQueueDiagnostics": { "type": "string", "defaultValue": "DeployIfNotExists" @@ -244,14 +212,6 @@ "type": "string", "defaultValue": "Deny" }, - "storageAccountsPrivateEndpoint": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageAccountsPrivateEndpointSubnetId": { - "type": "string", - "defaultValue": "" - }, "storageAccountsModifyDisablePublicNetworkAccess": { "type": "string", "defaultValue": "Modify" @@ -279,9 +239,48 @@ "storageAccountsTls": { "type": "string", "defaultValue": "Deny" + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "storageBlobDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb", + "policyDefinitionReferenceId": "Dine-Diagnostics-Storage-blob", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageBlobDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('storageBlobLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsEncryptionCmk')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", "policyDefinitionReferenceId": "Deny-Storage-Tls", @@ -366,22 +365,7 @@ "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074", - "policyDefinitionReferenceId": "Dine-Storage-Account-PrivateEndpoint", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageAccountsPrivateEndpoint')]" - }, - "privateEndpointSubnetId": { - "value": "[[parameters('storageAccountsPrivateEndpointSubnetId')]" - } - } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", @@ -435,21 +419,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", - "policyDefinitionReferenceId": "Dine-Storage-Blob-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageBlobPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageBlobPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Deny-Storage-Cmk')]", "policyDefinitionReferenceId": "Deny-Storage-Cmk", @@ -462,21 +431,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", - "policyDefinitionReferenceId": "Dine-Storage-FileGroupId-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageFileDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageFileDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef", "policyDefinitionReferenceId": "Dine-Storage-Accounts-Diagnostics", @@ -620,7 +574,7 @@ }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", - "policyDefinitionReferenceId": "Modify-Api-Storage-Account-PublicEndpoint", + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", "groupNames": [ "Network" ], @@ -642,21 +596,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", - "policyDefinitionReferenceId": "Dine-Storage-Account-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('storagePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('storagePrivateDnsZone')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", @@ -668,21 +607,6 @@ "value": "[[parameters('storageKeysExipiration')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", - "policyDefinitionReferenceId": "Dine-Storage-File-Sync-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('storageFileSyncPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('storageFileSyncPrivateDnsZone')]" - } - } } ] } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json new file mode 100644 index 00000000..617d02c6 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json @@ -0,0 +1,359 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "IP firewall rules on Azure Synapse workspaces should be removed", + "mode": "All", + "description": "Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace.", + "metadata": { + "version": "1.0.0", + "category": "Synapse" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Synapse/workspaces/firewallrules" + }, + { + "field": "name", + "exists": "true" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Synapse-Fw-Rules" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Synapse", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Synapse" + }, + "displayName": "Enforce secure-by-default Synapse workspaces for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Synapse workspaces", + "description": "Policy to ensure data protection for Synapse workspaces" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Synapse workspaces is not accessible over the public internet", + "description": "Policy to ensure Synapse workspaces not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Synapse workspaces", + "description": "Policy to ensure Synapse workspaces is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Synapse workspaces is logging all events to Log Analytics", + "description": "Policy to ensure Synapse workspaces is logging all events to Log Analytics workspace" + }, + { + "name": "DevOps", + "category": "DevOps Security", + "displayName": "Ensure Synapse workspaces is is using Git as source control", + "description": "Policy to ensure Synapse workspaces is configured to use Git as source control" + } + ], + "parameters": { + "synapseLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseManagedVnet": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseDataTraffic": { + "type": "string", + "defaultValue": "Deny" + }, + "synapsePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseTenants": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseAllowedTenantIds": { + "type": "array", + "defaultValue": [ + "[[subscription().tenantId]" + ] + }, + "synapseFwRules": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "synapseModifyTlsVersion": { + "type": "string", + "defaultValue": "Modify" + }, + "synapseModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapseDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapseLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32ba8d30-07c0-4136-ab18-9a11bf4a67b7", + "policyDefinitionReferenceId": "Dine-Synapse-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseDiagnostics')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[[parameters('synapseLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "policyDefinitionReferenceId": "Deny-Synapse-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", + "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", + "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", + "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", + "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[[parameters('synapseAllowedTenantIds')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", + "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapsePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", + "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseDataTraffic')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", + "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseManagedVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseLocalAuth')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json new file mode 100644 index 00000000..6fe6861e --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json @@ -0,0 +1,603 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "redm" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-avdAppGroup" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-avdHostPool" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-avdWorkspace" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-AVD", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "displayName": "Enforce secure-by-default Virtual Desktop for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Virtual Desktop is not accessible over the public internet", + "description": "Policy to ensure Key Vault is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Virtual Desktop", + "description": "Policy to ensure Virtual Desktop is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Virtual Desktop is logging all events to Log Analytics", + "description": "Policy to ensure Virtual Desktop is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdAppGroupDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspaceDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-avdAppGroup", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdAppGroupDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('avdAppGroupLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-avdHostPool", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('avdHostPoolLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-avdWorkspace", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('avdWorkspaceLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", + "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", + "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", + "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", + "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json index 2b363cf7..07dfd010 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json @@ -4,6 +4,7 @@ "parameters": { "topLevelManagementGroupPrefix": { "type": "String", + "defaultValue": "FSIDemo", "maxLength": 10, "metadata": { "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." @@ -1081,6 +1082,54 @@ }, "name": "Deploy-Custom-Route-Table" }, + { + + "properties": { + "displayName": "Allowed locations for Landing Zone workloads", + "policyType": "Custom", + "mode": "Indexed", + "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", + "metadata": { + "category": "General" + }, + "parameters": { + "listOfAllowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying resources.", + "strongType": "location" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "location", + "notIn": "[[parameters('listOfAllowedLocations')]" + }, + { + "field": "location", + "notEquals": "global" + }, + { + "field": "type", + "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories" + }, + { + "field": "type", + "notEquals": "Microsoft.Resources/deployments" + } + ] + }, + "then": { + "effect": "deny" + } + } + }, + "name": "Deny-Location" + }, { "properties": { "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", @@ -15960,6 +16009,30 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableAscForCSPM": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enablle or disable the execution of the policy" + }, + "defaultValue": "DeployIfNotExists" + }, + "enableAscForCosmosDb": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enablle or disable the execution of the policy" + }, + "defaultValue": "DeployIfNotExists" + }, + "enableAscForSynapse": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enablle or disable the execution of the policy" + }, + "defaultValue": "DeployIfNotExists" } }, "metadata": { @@ -15967,6 +16040,33 @@ "category": "Security Center" }, "PolicyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "policyDefinitionReferenceId": "defenderForSynapse", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSynapse')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "policyDefinitionReferenceId": "defenderForCosmosDb", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDb')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "policyDefinitionReferenceId": "defenderForCSPM", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCSPM')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", "policyDefinitionReferenceId": "defenderForOssDb", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json index 1ae305a2..1b91a1f8 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json @@ -22,7 +22,7 @@ "resources": [ { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", + "apiVersion": "2022-04-01", "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), parameters('roleDefinitionId')))]", "properties": { "principalType": "[parameters('principalType')]", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json new file mode 100644 index 00000000..2b022454 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json @@ -0,0 +1,123 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "roles": { + "roleDefinitions": [ + { + "properties": { + "roleName": "[concat(parameters('toplevelManagementGroupPrefix'), '-LZ Subscription Owner')]", + "description": "LZ Subscription Owner", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Network/vpnGateways/*", + "Microsoft.Network/expressRouteCircuits/*", + "Microsoft.Network/routeTables/write", + "Microsoft.Network/routeTables/join/*", + "Microsoft.Network/routeTables/delete", + "Microsoft.Network/routeTables/routes/write", + "Microsoft.Network/azurefirewalls/write", + "Microsoft.Network/azurefirewalls/delete", + "Microsoft.Network/firewallPolicies/write", + "Microsoft.Network/firewallPolicies/join/action", + "Microsoft.Network/firewallPolicies/delete", + "Microsoft.Network/firewallPolicies/ruleGroups/write", + "Microsoft.Network/firewallPolicies/ruleGroups/delete", + "Microsoft.Network/vpnSites/*", + "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/*", + "Microsoft.Network/networkSecurityGroups/securityRules/delete", + "Microsoft.Network/networkSecurityGroups/delete", + "Microsoft.Network/virtualNetworks/*/write", + "Microsoft.Network/virtualNetworks/*/delete" + ], + "dataActions": [], + "notDataActions": [] + } + ] + } + }, + { + "properties": { + "roleName": "[concat(parameters('toplevelManagementGroupPrefix'), '-Platform Contributors')]", + "description": "Custom Role that grants full access to manage all Platform resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/Delete", + "Microsoft.Authorization/*/Write", + "Microsoft.Authorization/elevateAccess/Action", + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Compute/galleries/share/action" + ], + "dataActions": [], + "notDataActions": [] + } + ] + } + }, + { + "properties": { + "roleName": "[concat(parameters('toplevelManagementGroupPrefix'), '-NetOps')]", + "description": "Platform-wide global connectivity management", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleDefinitions", + "name": "[guid(tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix')), variables('roles').roleDefinitions[copyIndex()].properties.roleName)]", + "apiVersion": "2018-01-01-preview", + "copy": { + "name": "roleDefinitionCopy", + "count": "[length(variables('roles').roleDefinitions)]" + }, + "properties": { + "roleName": "[variables('roles').roleDefinitions[copyIndex()].properties.roleName]", + "description": "[variables('roles').roleDefinitions[copyIndex()].properties.description]", + "type": "[variables('roles').roleDefinitions[copyIndex()].properties.type]", + "permissions": "[variables('roles').roleDefinitions[copyIndex()].properties.permissions]", + "assignableScopes": [ + "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json index de97c5a3..11c37c11 100644 --- a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json @@ -158,6 +158,18 @@ "ddosPlanResourceId": { "type": "string", "defaultValue": "" + }, + "subnetMaskForDnsResolverInbound": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForDnsResolverOutbound": { + "type": "string", + "defaultValue": "" + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "variables": { @@ -166,6 +178,9 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", + "dnsResolverName": "[concat(parameters('topLevelManagementGroupPrefix'), '-dnsresolver-', parameters('location'))]", + "dnsResolverInboundEndpointName": "[concat(variables('dnsResolverName'),'/', 'DefaultInboundEndpoint')]", + "dnsResolverOutboundEndpointName": "[concat(variables('dnsResolverName'), '/', 'DefaultOutboundEndpoint')]", "avnmName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnm-', parameters('location'))]", "avnmRgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-netmanager-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", @@ -178,8 +193,11 @@ "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "azFwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallSubnet')]", "azFwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwIpName'))]", + "hubId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/virtualNetworks/', variables('hubName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", "avnmDeploymentName": "[take(concat(deployment().name, '-avnetmanager', parameters('location')), 64)]", + "dnsResolverInboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/DnsResolverInboundSubnet')]", + "dnsResolverOutboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/DnsResolverOutboundSubnet')]", // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency "gwSubnet": [ { @@ -197,6 +215,22 @@ } } ], + "dnsResolverInboundSubnet": [ + { + "name": "DnsResolverInboundSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForDnsResolverInbound')]" + } + } + ], + "dnsResolverOutboundSubnet": [ + { + "name": "DnsResolverOutboundSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForDnsResolverOutbound')]" + } + } + ], "ddosProtectionPlanId": { "id": "[parameters('ddosPlanResourceId')]" }, @@ -214,7 +248,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "location": "[parameters('location')]", - "name": "[concat('fsi', '-connectivityHubSub', deployment().location)]", + "name": "[concat('afo', '-connectivityHubSub', deployment().location)]", "subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { "mode": "Incremental", @@ -250,15 +284,14 @@ { "type": "Microsoft.Network/networkManagers", "name": "[variables('avnmName')]", - "apiVersion": "2022-07-01", + "apiVersion": "2021-02-01-preview", "location": "[parameters('location')]", "properties": { "displayName": "[concat(parameters('topLevelManagementGroupPrefix'), ' Network Manager')]", "description": "[concat('Virtual Network Manager to manage and deploy virtual networks for ', parameters('topLevelManagementGroupPrefix'))]", "networkManagerScopes": { "managementGroups": [ - "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-landingzones')]", - "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-connectivity')]" + "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-landingzones')]" ], "subscriptions": [], "networkManagerScopeAccesses": [ @@ -297,7 +330,7 @@ { "name": "[variables('hubName')]", "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2020-04-01", + "apiVersion": "2022-01-01", "location": "[parameters('location')]", "properties": { "addressSpace": { @@ -306,17 +339,55 @@ ] }, "subnets": "[ - union( - if( - not( - empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]')), - if( - not( - empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]')))]", + union( + if( + not(empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]') + ), + if( + not(empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]') + ), + if( + not(empty(parameters('subnetMaskForDnsResolverInbound'))), variables('dnsResolverInboundSubnet'), json('[]') + ), + if( + not(empty(parameters('subnetMaskForDnsResolverOutbound'))), variables('dnsResolverOutboundSubnet'), json('[]') + ) + ) + ]", "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" } }, + { + "condition": "[not(empty(parameters('logAnalyticsWorkspaceId')))]", + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('hubName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", @@ -330,6 +401,36 @@ "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azVpnGwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azVpnGwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", @@ -393,6 +494,36 @@ "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" } }, + { + "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azErGwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azErGwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", @@ -455,6 +586,36 @@ "publicIPAllocationMethod": "Static" } }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", "type": "Microsoft.Network/firewallPolicies", @@ -497,6 +658,88 @@ ], "firewallPolicy": "[variables('azFirewallPolicyId')]" } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/azureFirewalls/', variables('azFwName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[and(not(empty(parameters('subnetMaskForDnsResolverInbound'))), not(equals(parameters('enableAzFwDnsProxy'), 'Yes')))]", + "apiVersion": "2022-07-01", + "type": "Microsoft.Network/dnsResolvers", + "name": "[variables('dnsResolverName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "virtualNetwork": { + "id": "[variables('hubId')]" + } + } + }, + { + "condition": "[and(not(empty(parameters('subnetMaskForDnsResolverInbound'))), not(equals(parameters('enableAzFwDnsProxy'), 'Yes')))]", + "apiVersion": "2022-07-01", + "type": "Microsoft.Network/dnsResolvers/inboundEndpoints", + "name": "[variables('dnsResolverInboundEndpointName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "privateIpAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('dnsResolverInboundSubnetId')]" + } + } + ] + } + }, + { + "condition": "[and(not(empty(parameters('subnetMaskForDnsResolverOutbound'))), not(equals(parameters('enableAzFwDnsProxy'), 'Yes')))]", + "apiVersion": "2022-07-01", + "type": "Microsoft.Network/dnsResolvers/outboundEndpoints", + "name": "[variables('dnsResolverOutboundEndpointName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "subnet": { + "id": "[variables('dnsResolverOutboundSubnetId')]" + } + } } ] } @@ -508,4 +751,4 @@ } ], "outputs": {} -} \ No newline at end of file +} diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json new file mode 100644 index 00000000..2b2c330d --- /dev/null +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json @@ -0,0 +1,353 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the HUB" + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be deployed or not." + } + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "Select whether the DDoS Standard protection plan should be enabled or not." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the ingress/egress connectivity subscription." + } + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for Azure Firewall." + } + }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallZones": { + "type": "array", + "defaultValue": [] + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "ingressOrEgress": { + "type": "string", + "defaultValue": "" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnet-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "azFwIpName": "[concat(variables('azFwName'), '-pip')]", + "azFwSubnetId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallSubnet')]", + "azFwPipId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwIpName'))]", + "hubId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/virtualNetworks/', variables('hubName'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", + // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency + "fwSubnet": [ + { + "name": "AzureFirewallSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForAzFw')]" + } + } + ], + "ddosProtectionPlanId": { + "id": "[parameters('ddosPlanResourceId')]" + }, + "azFirewallPolicyId": { + "id": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]" + }, + "azFirewallDnsSettings": { + "enableProxy": true + } + }, + "resources": [ + { + // Conditionally deploy virtual network hub + "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('subscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat(parameters('ingressOrEgress'), '-connectivity-', deployment().location)]", + "subscriptionId": "[parameters('subscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "name": "[variables('hubName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2022-01-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": "[ + if( + not(empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]') + ) + ]", + "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", + "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" + } + }, + { + "condition": "[not(empty(parameters('logAnalyticsWorkspaceId')))]", + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('hubName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "name": "[variables('azFwIpName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyName')]", + "location": "[parameters('location')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azfwname')]", + "location": "[parameters('location')]", + "zones": "[if(not(empty(parameters('firewallZones'))), parameters('firewallZones'), json('null'))]", + "dependsOn": [ + "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "sku": { + "name": "AZFW_VNet", + "tier": "[parameters('firewallSku')]" + }, + "ipConfigurations": [ + { + "name": "[variables('azFwIpName')]", + "properties": { + "subnet": { + "id": "[variables('azFwSubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('azFwPipId')]" + } + } + } + ], + "firewallPolicy": "[variables('azFirewallPolicyId')]" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/azureFirewalls/', variables('azFwName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json index e0a95d90..d282f7f5 100644 --- a/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json @@ -1,151 +1,458 @@ { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { "rgName": { - "type": "String" + "type": "String" }, "workspaceName": { - "type": "String" + "type": "String", + "defaultValue": "" }, "workspaceRegion": { - "type": "String" + "type": "String", + "defaultValue": "[deployment().location]" }, "automationAccountName": { - "type": "String" + "type": "String", + "defaultValue": "" }, "automationRegion": { - "type": "String" + "type": "String", + "defaultValue": "[deployment().location]" }, "retentionInDays": { - "type": "String" + "type": "String", + "defaultValue": "30" }, "enableChangeTracking": { - "type": "string", - "allowedValues": [ - "No", - "Yes" - ], - "defaultValue": "No" + "type": "string", + "allowedValues": [ + "No", + "Yes" + ], + "defaultValue": "No" }, "enableUpdateMgmt": { - "type": "string", - "allowedValues": [ - "No", - "Yes" - ], - "defaultValue": "No" + "type": "string", + "allowedValues": [ + "No", + "Yes" + ], + "defaultValue": "No" + }, + "eventHubNamespaceName": { + "type": "string", + "defaultValue": "" + }, + "dataExports": { + "type": "array", + "defaultValue": [] } - }, - "variables": { - "fullDeploymentName": "fsi-loganalytics-waa", - "laDeploymentName": "fsi-loganalytics" - }, - "resources": [ + }, + "variables": { + "fullDeploymentName": "fsi-loganalytics-waa", + "laDeploymentName": "fsi-loganalytics" + }, + "resources": [ { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2018-05-01", - "name": "[parameters('rgName')]", - "location": "[deployment().location]", - "properties": {} + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} }, { - "condition": "[or(equals(parameters('enableChangeTracking'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[variables('fullDeploymentName')]", - "resourceGroup": "[parameters('rgName')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "apiVersion": "2015-10-31", - "location": "[parameters('AutomationRegion')]", - "name": "[parameters('AutomationAccountName')]", - "type": "Microsoft.Automation/automationAccounts", - "properties": { - "sku": { - "name": "Basic" - } - } - }, - { - "apiVersion": "2020-08-01", - "location": "[parameters('workspaceRegion')]", - "name": "[parameters('workspaceName')]", - "type": "Microsoft.OperationalInsights/workspaces", - "properties": { - "sku": { - "name": "PerGB2018" - }, - "enableLogAccessUsingOnlyResourcePermissions": true, - "retentionInDays": "[int(parameters('retentionInDays'))]" - }, - "resources": [ - { - "name": "Automation", - "type": "linkedServices", - "apiVersion": "2020-08-01", - "dependsOn": [ - "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]", - "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" - ], - "properties": { - "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" - } - } - ] + "condition": "[or(equals(parameters('enableChangeTracking'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[variables('fullDeploymentName')]", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2015-10-31", + "location": "[parameters('AutomationRegion')]", + "name": "[parameters('AutomationAccountName')]", + "type": "Microsoft.Automation/automationAccounts", + "properties": { + "sku": { + "name": "Basic" + } + } + }, + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('automationAccountName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('automationRegion')]", + "dependsOn": [ + "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]", + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "apiVersion": "2020-08-01", + "location": "[parameters('workspaceRegion')]", + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "PerGB2018" + }, + "enableLogAccessUsingOnlyResourcePermissions": true, + "retentionInDays": "[int(parameters('retentionInDays'))]" + }, + "resources": [ + { + "name": "Automation", + "type": "linkedServices", + "apiVersion": "2020-08-01", + "dependsOn": [ + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]", + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('workspaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('workspaceRegion')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('eventHubNamespaceName')]", + "location": "[deployment().location]", + "sku": { + "name": "Standard", + "tier": "Standard", + "capacity": 5 + }, + "properties": { + "minimumTlsVersion": "1.2", + "publicNetworkAccess": "Enabled", + "disableLocalAuth": true, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 5, + "kafkaEnabled": true + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[deployment().location]", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/authorizationrules", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/RootManageSharedAccessKey')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/networkRuleSets", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/default')]", + "location": "West Europe", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.OperationalInsights/workspaces/dataexports", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('workspaceName'), '/Exports')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "destination": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "metaData": {} + }, + "tableNames": "[parameters('dataExports')]", + "enable": true + } + } + ], + "outputs": {} } - ], - "outputs": { - } } - } }, { - "condition": "[and(not(equals(parameters('enableChangeTracking'), 'Yes')), not(equals(parameters('enableUpdateMgmt'), 'Yes')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[variables('laDeploymentName')]", - "resourceGroup": "[parameters('rgName')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "apiVersion": "2020-08-01", - "location": "[parameters('workspaceRegion')]", - "name": "[parameters('workspaceName')]", - "type": "Microsoft.OperationalInsights/workspaces", - "properties": { - "sku": { - "name": "PerGB2018" - }, - "enableLogAccessUsingOnlyResourcePermissions": true, - "retentionInDays": "[int(parameters('retentionInDays'))]" - } + "condition": "[and(not(equals(parameters('enableChangeTracking'), 'Yes')), not(equals(parameters('enableUpdateMgmt'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[variables('laDeploymentName')]", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2020-08-01", + "location": "[parameters('workspaceRegion')]", + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "PerGB2018" + }, + "enableLogAccessUsingOnlyResourcePermissions": true, + "retentionInDays": "[int(parameters('retentionInDays'))]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('workspaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('workspaceRegion')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('eventHubNamespaceName')]", + "location": "[deployment().location]", + "sku": { + "name": "Standard", + "tier": "Standard", + "capacity": 5 + }, + "properties": { + "minimumTlsVersion": "1.2", + "publicNetworkAccess": "Enabled", + "disableLocalAuth": true, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 5, + "kafkaEnabled": true + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[deployment().location]", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/authorizationrules", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/RootManageSharedAccessKey')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/networkRuleSets", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/default')]", + "location": "West Europe", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.OperationalInsights/workspaces/dataexports", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('workspaceName'), '/Exports')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "destination": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "metaData": {} + }, + "tableNames": "[parameters('dataExports')]", + "enable": true + } + } + ], + "outputs": {} } - ], - "outputs": { - } } - } } - ], - "outputs": {} - } \ No newline at end of file + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json new file mode 100644 index 00000000..fd56c81f --- /dev/null +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json @@ -0,0 +1,97 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "managedIdentityName": { + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + } + }, + "variables": { + "deploymentName": "[concat(parameters('resourceGroupName'), '-ua-identity-', parameters('location'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[variables('deploymentName')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "rgName": { + "value": "[parameters('resourceGroupName')]" + }, + "uaIdentityName": { + "value": "[parameters('managedIdentityName')]" + }, + "azureLocation": { + "value": "[parameters('location')]" + }, + "mgmtSubId": { + "value": "[parameters('managementSubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string" + }, + "uaIdentityName": { + "type": "string" + }, + "azureLocation": { + "type": "string" + }, + "mgmtSubId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "name": "[parameters('uaIdentityName')]", + "location": "[parameters('azureLocation')]" + } + ], + "outputs": { + "innerObjectId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('uaIdentityName')), '2023-01-31').principalId]" + } + } + } + } + } + ], + "outputs": { + "identityObjectId": { + "type": "string", + "value": "[reference(variables('deploymentName')).outputs.innerObjectId.value]" + } + } +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json new file mode 100644 index 00000000..9f957fc4 --- /dev/null +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -0,0 +1,3047 @@ +{ + "$schema": "", + "view": { + "kind": "Form", + "properties": { + "title": "FSI Landing Zones on Microsoft Azure", + "isWizard": false, + "steps": [ + { + "name": "basics", + "label": "Deployment location", + "elements": [ + { + "name": "resourceScope", + "type": "Microsoft.Common.ResourceScope" + } + ] + }, + { + "name": "lzSettings", + "label": "Management Group and Subscription Organization", + "subLabel": { + "preValidation": "Provide a prefix for the management group structure that will be created.", + "postValidation": "Done" + }, + "bladeTitle": "Company prefix", + "elements": [ + { + "name": "info", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "FSI Landing Zones requires access at the tenant root (/) scope. Visit this link to ensure you have the appropriate RBAC permission to complete the deployment", + "uri": "https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin", + "style": "Info" + } + }, + { + "name": "mgSection", + "type": "Microsoft.Common.Section", + "label": "Management Groups", + "elements": [ + { + "name": "mgmtGroup", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "FSI Landing Zones will create the management group hierarchy under the Tenant Root Group with the prefix provided at this step, which will be used to establish a proven architecture for subscription organization and policy driven governance at scale.", + "link": { + "label": "Learn more", + "uri": "https://github.com/microsoft/industry/tree/main/fsi#fsi-landing-zones-on-microsoft-azure" + } + } + }, + { + "name": "esMgmtGroup", + "type": "Microsoft.Common.TextBox", + "label": "Management Group prefix", + "toolTip": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of FSI Landing Zones.", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,10}$", + "validationMessage": "The prefix must be 1-10 characters." + } + } + ], + "visible": true + }, + { + "name": "subSection", + "type": "Microsoft.Common.Section", + "label": "Subscription Organization", + "elements": [ + { + "name": "subOrg", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "FSI Landing Zones recommends dedidated subscriptions for the Azure platform functionality, such as Security, Governance, Compliance, Network Connectivity, and Identity and Access. This enables the organization to scale the Azure platform and the workloads in the landing zones independently regardless of future scale-point.", + "link": { + "label": "Learn more", + "uri": "https://github.com/microsoft/industry/blob/main/fsi/docs/architectureAndDesign.md#architecture-and-design" + } + } + }, + { + "name": "subOrgsOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select dedicated subscriptions or a single subscription for FSI Landing Zones platform resources", + "defaultValue": "Dedicated (recommended)", + "toolTip": "Dedicated subscriptions will require separate Azure subscriptions for platform resources and is the recommended option for production environments. The single subscription option will deploy all platform resources on a single subscription.", + "constraints": { + "allowedValues": [ + { + "label": "Dedicated (recommended)", + "value": "Dedicated" + }, + { + "label": "Single", + "value": "Single" + } + ] + }, + "visible": true + } + ], + "visible": false + }, + { + "name": "esSingleSubSection", + "type": "Microsoft.Common.Section", + "label": "Single platform subscription", + "elements": [ + { + "name": "subWarning", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Warning", + "text": "Dedicated subscriptions are recommended for the various platform components to ensure scale, sustainability, and segregation of duties, and especially around networking. However, a single subscription can also be used in case this is not a concern (e.g., small organizations, or testing purposes).", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + }, + { + "name": "singleSubText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the single subscription that will be used for all platform resources during deployment, for security, logging, connectivity, and identity." + } + }, + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esSingleSub", + "label": "Single platform subscription" + } + ], + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]" + } + ] + }, + { + "name": "esGoalState", + "label": "Management and Monitoring", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "To enable platform management and monitoring, you must allocate a dedicated Azure Subscription. Please note, this Subscription will be moved to the platform Management Group, and ARM will deploy a Log Analytics workspace and requisite settings. We recommend using a new Subscription with no existing resources. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "singlePlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]", + "options": { + "text": "To enable management and monitoring, you can configure core infra such as Log Analytics and additional monitoring solutions to your dedicated platform subscription. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "esMgmtSubSection", + "type": "Microsoft.Common.Section", + "label": "Management subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esMgmtSub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esGoalState').azMonSection.esLogAnalytics, 'Yes'), not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single')))]" + }, + { + "name": "azMonSection", + "type": "Microsoft.Common.Section", + "label": "Azure Monitor", + "elements": [ + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Azure Monitor with Log Analytics provides the core infrastructure to enable platform observability, security, and log retention for the FSI Landing Zones. You can create a dedicated Log Analytics workspace and enable curated analytical solutions, that will also intersect with Microsoft Defender for Cloud and Microsoft Sentinel.", + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview" + } + } + }, + { + "name": "esLogAnalytics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Log Analytics workspace and enable monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esLogRetention", + "type": "Microsoft.Common.Slider", + "min": 30, + "max": 730, + "label": "Log Analytics Data Retention (days)", + "subLabel": "Days", + "defaultValue": 30, + "showStepMarkers": false, + "toolTip": "Select retention days for Azure logs. Default is 30 days. If longer retention is required, you can optionally configure Log Analytics data export to a Storage Account or an Event Hub namespace.", + "constraints": { + "required": false + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esEventHub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esEventHubDataExports", + "type": "Microsoft.Common.DropDown", + "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", + "defaultValue": [ + "Security Alert", + "Security Event", + "Security Incident" + ], + "multiselect": true, + "multiLine": true, + "selectAll": true, + "defaultDescription": "Select the tables you want to export to Event Hub", + "filter": true, + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", + "constraints": { + "allowedValues": [ + { + "label": "Security Alert", + "description": "Table used by Defender for Cloud and Microsoft Sentinel for alerts", + "value": "SecurityAlert" + }, + { + "label": "Security Baseline", + "description": "Table used by Defender for Cloud security baseline for Virtual Machines, VMWare, Azure Stack HCI, SCVMM, and Virtual Machine Scale Sets", + "value": "SecurityBaseline" + }, + { + "label": "Security Baseline Summary", + "description": "Table used by Defender for Cloud security baseline summary for Virtual Machines, VMWare, Azure Stack HCI, and SCVMM", + "value": "SecurityBaselineSummary" + }, + { + "label": "Security Detection", + "description": "Table used by Security and Audit solution for Log Analytics workspace", + "value": "SecurityDetection" + }, + { + "label": "Security Event", + "description": "Table used by Security and Audit solution for Log Analytics workspace and Microsoft Sentinel", + "value": "SecurityEvent" + }, + { + "label": "Security Incident", + "description": "Table used by Microsoft Sentinel", + "value": "SecurityIncident" + }, + { + "label": "Security Recommendation", + "description": "Table used by Defender for Cloud and Security and Audit solution for Log Analytics workspace", + "value": "SecurityRecommendation" + }, + { + "label": "Sentinel Audit", + "description": "Table used by Microsoft Sentinel", + "value": "SentinelAudit" + }, + { + "label": "Sentinel Health", + "description": "Table used by Microsoft Sentinel", + "value": "SentinelHealth" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esEventHub,'Yes')]" + }, + { + "name": "monitoring", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Monitor solutions you will enable for your Log Analytics workspace", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions" + } + } + }, + { + "name": "esAgentSolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Agent Health solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esChangeTracking", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Change Tracking solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esUpdateMgmt", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Update Management solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esActivityLog", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Activity Log solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esVmInsights", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VM Insights solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esServiceMap", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Service Map solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esSqlAssessment", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy SQL Assessment solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + } + ], + "visible": true + } + ] + }, + { + "name": "esGovState", + "label": "Security, Governance, and Compliance", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGovernance", + "elements": [ + { + "name": "govInfo", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "To enable platform security, governance, and compliance, you can configure Microsoft Cloud Security Benchmark, Compliant and Secure by-default Azure services, Microsoft Defender for Cloud, and additional governance solutions. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://learn.microsoft.com/security/benchmark/azure/overview", + "style": "Info" + } + }, + { + "name": "asbSection", + "type": "Microsoft.Common.Section", + "label": "Microsoft Cloud Security Benchmark", + "elements": [] + }, + { + "name": "mcsbText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "The Microsoft Cloud Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).", + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/security/benchmark/azure/overview" + } + } + }, + { + "name": "mcsbPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign Microsoft Cloud Security Benchmark Policy Initiative", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, the MCSB will be assigned at the intermediate root management group to provide an aggregated compliance view for the FSI Landing Zones architecture.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "secureByDefaultSection", + "type": "Microsoft.Common.Section", + "label": "Compliant and Secure by-default", + "elements": [] + }, + { + "name": "secureByDefaultText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "FSI Landing Zones enables a 'compliant and secure by-default' landing zones for your Azure services. Select the Azure services you want to have enforced as 'secure by-default' via Azure policy to satisfy regulatory requirements. The services you select are the only one that can be deployed to the landing zones, in the Azure regions you have enabled during this deployment.", + "link": { + "label": "Learn more about 'secure by-default' for FSI Landing Zones", + "uri": "https://github.com/microsoft/industry/blob/main/fsi/docs/securityGovernanceAndCompliance.md#compliant-and-secure-by-default-fsi-landing-zones" + } + } + }, + { + "name": "secureSvc", + "type": "Microsoft.Common.DropDown", + "label": "Secure by-default Azure Services", + "placeholder": "", + "defaultValue": [ + "API Management", + "App Service", + "Automation", + "Backup", + "Compute", + "Container Apps", + "Container Instance", + "Container Registry", + "Cosmos DB", + "Data Explorer", + "Data Factory", + "Event Grid", + "Event Hub", + "Key Vault", + "Kubernetes", + "Machine Learning", + "Networking", + "Open AI", + "Postgre SQL", + "Service Bus", + "SQL", + "Storage Account", + "Synapse", + "Virtual Desktop" + ], + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "defaultDescription": "Select the Azure services that must be secure by-default", + "constraints": { + "allowedValues": [ + { + "label": "API Management", + "description": "Azure policies will ensure secure by-default compliance for API Management, such as enforcement of strong protocols, encryption, access via private endpoint, and centralized logging.", + "value": "Apim" + }, + { + "label": "App Service", + "description": "Azure policies will ensure secure by-default compliance for App Service (including Function Apps), such as enforcement of strong protocols, access via private endpoint, and centralized logging.", + "value": "AppService" + }, + { + "label": "Automation", + "description": "Azure policies will ensure secure by-default compliance for Automation accounts, enforce access via private endpoints, encyrption of variables and centralized logging.", + "value": "Automation" + }, + { + "label": "Backup", + "description": "Azure policies will ensure secure by-default compliance for Backup and Recovery Services vaults, enforce immutable backups, encryption, and private over private endpoint.", + "value": "Backup" + }, + { + "label": "Compute", + "description": "Azure policies will ensure secure by-default compliance for Compute, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "Compute" + }, + { + "label": "Container Apps", + "description": "Azure policies will ensure secure by-default compliance for Container Apps, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "ContainerApps" + }, + { + "label": "Container Instance", + "description": "Azure policies will ensure secure by-default compliance for Container Instance, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "ContainerInstance" + }, + { + "label": "Container Registry", + "description": "Azure policies will ensure secure by-default compliance for Container Registry, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "ContainerRegistry" + }, + { + "label": "Cosmos DB", + "description": "Azure policies will ensure secure by-default compliance for Cosmos DB, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "CosmosDb" + }, + { + "label": "Data Explorer", + "description": "Azure policies will ensure secure by-default compliance for Data Explorer, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "DataExplorer" + }, + { + "label": "Data Factory", + "description": "Azure policies will ensure secure by-default compliance for Data Factory, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "DataFactory" + }, + { + "label": "Event Grid", + "description": "Azure policies will ensure secure by-default compliance for Event Grid, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "EventGrid" + }, + { + "label": "Event Hub", + "description": "Azure policies will ensure secure by-default compliance for Event Hub, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "EventHub" + }, + { + "label": "Key Vault", + "description": "Azure policies will ensure secure by-default compliance for Key Vaults, secrets, keys, and certificates, enforce access via private endpoints, purge protection, and centralized logging.", + "value": "KeyVault" + }, + { + "label": "Kubernetes", + "description": "Azure policies will ensure secure by-default compliance for Kubernetes (AKS), secrets, keys, and certificates, enforce access via private endpoints, centralized authorization and governance, and centralized logging.", + "value": "Kubernetes" + }, + { + "label": "Machine Learning", + "description": "Azure policies will ensure secure by-default compliance for Machine Learning, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "MachineLearning" + }, + { + "label": "Networking", + "description": "Azure policies will ensure secure by-default compliance for Networking, such as enforcement of strong protocols, encryption, advanced threat protection, communication paths, and logging.", + "value": "Networking" + }, + + { + "label": "Open AI", + "description": "Azure policies will ensure secure by-default compliance for Open AI, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "OpenAi" + }, + { + "label": "Postgre SQL", + "description": "Azure policies will ensure secure by-default compliance for Postgre SQL, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", + "value": "PostgreSql" + }, + { + "label": "Service Bus", + "description": "Azure policies will ensure secure by-default compliance for Service Bus, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "ServiceBus" + }, + { + "label": "SQL", + "description": "Azure policies will ensure secure by-default compliance for SQL servers and SQL databases, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", + "value": "Sql" + }, + { + "label": "Storage Account", + "description": "Azure policies will ensure secure by-default compliance for Storage Accounts, such as enforcement of strong protocols, encryption, access via private endpoint, centralized authorization using Azure AD, and centralized logging.", + "value": "StorageAccount" + }, + { + "label": "Synapse", + "description": "Azure policies will ensure secure by-default compliance for Synapse, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "Synapse" + }, + { + "label": "Virtual Desktop", + "description": "Azure policies will ensure secure by-default compliance for Virtual Desktop, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "DesktopVirtualization" + } + ], + "required": false + }, + "visible": true + }, + { + "name": "mcDefenderSection", + "type": "Microsoft.Common.Section", + "label": "Microsoft Defender for Cloud", + "elements": [], + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "mcDefenderText", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Microsoft Defender for Cloud solutions you will enable.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/security/fundamentals/overview" + } + } + }, + { + "name": "defenderEndpoint", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Defender for Endpoint for Windows and Linux VMs", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will enforce Defender for Endpoint for Windows and Linux VMs", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esAsc", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Defender for Cloud and enable security monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Azure Policy will enforce Defender for Cloud and enable security monitoring for your platform and resources", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esAscEmail", + "type": "Microsoft.Common.TextBox", + "label": "Microsoft Defender for Cloud Email Contact", + "toolTip": "Email address to get email notifications from Azure Security Center", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "defaultValue": "", + "constraints": { + "required": "[equals(steps('esGovState').esAsc,'Yes')]", + "regex": "^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", + "validationMessage": "Please provide a valid email address" + } + }, + { + "name": "esAscVms", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for servers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for all servers.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscOssDb", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for open-source relational databases", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for open-source relational databases.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscCSPM", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for CSPM", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for CSPM.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscCosmosDb", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Cosmos DB", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Cosmos DB.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscSynapse", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Synapse", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Synapse.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscApps", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for AppServices", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for AppServices.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Storage", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Storage.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscSql", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Azure SQL Database", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Azure SQL Database.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscSqlOnVm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for SQL servers on machines", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for SQL servers on machines.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscKeyVault", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Key Vault", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Key Vault.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscArm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Azure Resource Manager", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Resource Manager.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for DNS", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for DNS.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscContainers", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Containers (Kubernetes and Registries)", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Containers.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esSecuritySolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Sentinel", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + } + ] + }, + { + "name": "esConnectivityGoalState", + "label": "Network Connectivity and Topology", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "To enable connectivity for Azure and on-premises, you must allocate a dedicated connectivity Subscription. Please note, this Subscription will be moved to the connectivity Management Group, and ARM will deploy the first hub virtual network for either a hub and spoke or Virtual WAN network topology. Additional networking platform resources such as gateways or Azure Firewall can be deployed. We recommend using a new dedicated Subscription with no existing resources. When you need to scale-out networking, either into the same region and same subscription, or to a new region or a separate connectivity subscription, use the following link to deploy and scale-out.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "singlePlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]", + "options": { + "text": "To enable network topology and connectivity for Azure and on-premises, you can select the preferred networking topology, and deploy this into the dedicated platform subscription. Additional networking platform resources such as gateways or Azure Firewall can also be deployed.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "connSection", + "type": "Microsoft.Common.Section", + "label": "Azure Connectivity Configuration", + "elements": [ + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "The FSI Landing Zones provides the foundational networking and connectivity services for deploying telco applications and services on Microsoft Azure at scale. Select the preferred networking topology and services for Azure and the Distributed Edge.", + "link": { + "label": "Learn more", + "uri": "https://github.com/microsoft/industry/blob/main/telco/docs/telco-networking.md" + } + } + } + ], + "visible": true + }, + { + "name": "esHub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy networking topology for Azure and on-premises", + "defaultValue": "No", + "toolTip": "Select the preferred network topology. If third-party NVA is a requirement, you must deploy this into the connectivity subscription post the deployment.", + "constraints": { + "allowedValues": [ + { + "label": "Hub and spoke (customer managed)", + "value": "vhub" + }, + { + "label": "Virtual WAN (Microsoft managed)", + "value": "vwan" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNwSubSection", + "type": "Microsoft.Common.Section", + "label": "Connectivity subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwSub", + "label": "Connectivity subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single')))]" + }, + { + "name": "esAddressHubVWAN", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for vWAN hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/23)", + "defaultValue": "10.100.0.0/23", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('esConnectivityGoalState').esHub, 'nva')), not(equals(steps('esConnectivityGoalState').esHub, 'vhub')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAddressHubHS", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for hub virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/16)", + "defaultValue": "10.100.0.0/16", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('esConnectivityGoalState').esHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esLocationsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "locations?api-version=2019-11-01" + } + }, + { + "name": "esNwLocation", + "type": "Microsoft.Common.DropDown", + "label": "Region for the first networking hub", + "filter": true, + "toolTip": "Select the target region for you connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "constraints": { + "allowedValues": "[map(steps('esConnectivityGoalState').esLocationsApi.value,(item) => parse(concat('{\"label\":\"',item.displayName,'\",\"value\":\"',item.name,'\"}')))]", + "required": true + }, + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]" + }, + { + "name": "anmSection", + "type": "Microsoft.Common.Section", + "label": "Enable VNet connectivity with Azure Virtual Network Manager (PREVIEW)", + "visible": "[and(equals(steps('esConnectivityGoalState').esHub, 'vhub'), contains(split('northcentrals,westus2,eastus,eastus2,northeurope,westeurope,francecentral', ','), steps('esConnectivityGoalState').esNwLocation))]", + "elements": [ + { + "name": "anmText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Azure Virtual Network Manager (Preview) is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/virtual-network-manager/overview" + } + } + }, + { + "name": "anmOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use Azure Virtual Network Manager to manage virtual networks", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create an Azure Virtual Network Manager instance in the connectivity subscription.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "esPrivateDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create Private DNS Zones for Azure PaaS services", + "defaultValue": "Yes (recommended)", + "visible": "[equals(steps('esConnectivityGoalState').esHub, 'vhub')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create Private DNS Zones for Azure PaaS services", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esPrivateDnsResolver", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Private DNS resolver", + "defaultValue": "Yes (Recommended)", + "visible": "[equals(steps('esConnectivityGoalState').esHub, 'vhub')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (Recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "subnetMaskPrivateDnsResolverInbound", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for DNS Resolver (inbound)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.3.0/24)", + "defaultValue": "10.100.2.0/24", + "visible": "[equals(steps('esConnectivityGoalState').esPrivateDnsResolver, 'Yes')]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-8]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,28]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "subnetMaskPrivateDnsResolverOutbound", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for DNS Resolver (outbound)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.3.0/24)", + "defaultValue": "10.100.3.0/24", + "visible": "[equals(steps('esConnectivityGoalState').esPrivateDnsResolver, 'Yes')]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-8]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,28]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esVpnGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional VPN Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esGwNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esGwAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" + }, + { + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" + }, + { + "label": "VpnGw4AZ", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" + } + ] + } + }, + { + "name": "esGwRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esVwanGwScaleUnits", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "Select the VPN Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 500 Mbps x2", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 1 Gbps x 2", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 1.5 Gbps x 2", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 2 Gbps x 2", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 2.5 Gbps x 2", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 3 Gbps x 2", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 3.5 Gbps x 2", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 4 Gbps x 2", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 4.5 Gbps x 2", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 5 Gbps x 2", + "value": "10" + }, + { + "label": "11 scale units", + "description": "Supports 5.5 Gbps x 2", + "value": "11" + }, + { + "label": "12 scale units", + "description": "Supports 6 Gbps x 2", + "value": "12" + }, + { + "label": "13 scale units", + "description": "Supports 6.5 Gbps x 2", + "value": "13" + }, + { + "label": "14 scale units", + "description": "Supports 7 Gbps x 2", + "value": "14" + }, + { + "label": "15 scale units", + "description": "Supports 7.5 Gbps x 2", + "value": "15" + }, + { + "label": "16 scale units", + "description": "Supports 8 Gbps x 2", + "value": "16" + }, + { + "label": "17 scale units", + "description": "Supports 8.5 Gbps x 2", + "value": "17" + }, + { + "label": "18 scale units", + "description": "Supports 9 Gbps x 2", + "value": "18" + }, + { + "label": "19 scale units", + "description": "Supports 9.5 Gbps x 2", + "value": "19" + }, + { + "label": "20 scale units", + "description": "Supports 10 Gbps x 2", + "value": "20" + } + ] + } + }, + { + "name": "esAddressVpnOrEr", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for VPN/ExpressRoute Gateways", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.1.0/24)", + "defaultValue": "10.100.1.0/24", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'vwan')), or(equals(steps('esConnectivityGoalState').esErGw, 'Yes'),equals(steps('esConnectivityGoalState').esVpnGw, 'Yes')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-7]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,27]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esErGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy ExpressRoute gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esErRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional ExpressRoute Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esErAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" + }, + { + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" + }, + { + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" + } + ] + } + }, + { + "name": "esErRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esErNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esVwanErScaleUnits", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "Select the ExpressRoute Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 2 Gbps", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 4 Gbps", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 6 Gbps", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 8 Gbps", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 10 Gbps", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 12 Gbps", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 14 Gbps", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 16 Gbps", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 18 Gbps", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 20 Gbps", + "value": "10" + } + ] + } + }, + { + "name": "esAzFw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFwDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Firewall as a DNS proxy", + "defaultValue": "No", + "visible": "[and(equals(steps('esConnectivityGoalState').esPrivateDnsResolver, 'No'), equals(steps('esConnectivityGoalState').esHub, 'vhub'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFwSku", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFw, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFwAz", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esHub, 'vhub'), and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "esAddressFw", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/24)", + "defaultValue": "10.100.0.0/24", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFw, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFw, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFw, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').esAddressFw, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esDedicatedInboundSub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use a dedicated subscription for Internet ingress", + "defaultValue": "No", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, you can optionally add dedicated subscription for ingess and egress", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNwAdditionalSubSectionIngress", + "type": "Microsoft.Common.Section", + "label": "Internet ingress subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwIngress", + "label": "Ingress subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]" + }, + { + "name": "esAddressIngress", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for the virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/16)", + "defaultValue": "10.200.0.0/16", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAzFwIngress", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Firewall will be created using the same configuration as used in the connectivity hub", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAddressFwIngress", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall for ingress", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/24)", + "defaultValue": "10.200.0.0/24", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFwIngress, 'Yes'), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressIngress, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressIngress, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressIngress, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), last(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esAzFwSkuIngress", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFwIngress, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFwAzIngress", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'), and(equals(steps('esConnectivityGoalState').esAzFwIngress,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "esDedicatedOutboundSub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use s dedicated subscription for Internet egress", + "defaultValue": "No", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, you can optionally add dedicated subscription for ingess and egress", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNwAdditionalSubSectionEgress", + "type": "Microsoft.Common.Section", + "label": "Internet egress subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwEgress", + "label": "Internet egress subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]" + }, + { + "name": "esAddressEgress", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for the virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.210.0.0/16)", + "defaultValue": "10.210.0.0/16", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAzFwEgress", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Firewall will be created using the same configuration as used in the connectivity hub", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAddressFwEgress", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall for ingress", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.210.0.0/24)", + "defaultValue": "10.210.0.0/24", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFwEgress, 'Yes'), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressEgress, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressEgress, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressEgress, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), last(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esAzFwSkuEgress", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFwEgress, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFwAzEgress", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'), and(equals(steps('esConnectivityGoalState').esAzFwEgress,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "nwSecurity", + "type": "Microsoft.Common.Section", + "label": "Network Security and Monitoring", + "elements": [ + { + "name": "monitoring", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Network Security and Monitoring solutions you will enable for your platform and landing zones", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions" + } + } + }, + { + "name": "esDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Protection Standard", + "defaultValue": "Yes (recommended)", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Protection Standard will be enabled and protect your Azure resources from denial of service threats.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNetworkWatcher", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Network Watcher observability", + "defaultValue": "Yes (recommended)", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, Network Watcher will be enabled for all virtual networks for the platform and the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNsgFlowLogs", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable NSG Flow Logs and Traffic Analytics", + "defaultValue": "Yes (recommended)", + "visible": "[and(equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes'), equals(steps('esConnectivityGoalState').nwSecurity.esNetworkWatcher, 'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, NSG Flow Logs will be enabled for all NSGs for the platform and the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "exemptionInfo", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('esConnectivityGoalState').nwSecurity.esNsgFlowLogs, 'Yes'), equals(steps('esGoalState').mcsbPolicy, 'Yes'))]", + "options": { + "icon": "Info", + "text": "NSG Flow Logs requires a storage account accessible over a public endpoint, that will be created in the management subscription only trusting known Azure services. A policy exemption will be created to bypass the Microsoft Cloud Security Benchmark recommendations for the storage account.", + "uri": "https://www.microsoft.com" + } + } + ], + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + } + ] + }, + { + "name": "esIdentityGoalState", + "label": "Identity and Access", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "singlePlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "authNauthZsection", + "type": "Microsoft.Common.Section", + "label": "Authentication and Authorization for workloads", + "elements": [], + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]" + }, + { + "name": "authNauthZtexts", + "type": "Microsoft.Common.TextBlock", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "You can optionally bring in a dedicated subscription for identity, which will serve as a placeholder for your domain controller virtual machines. Select 'No' if you want to do this later.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "identitySub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Configure dedicated Identity subscription", + "defaultValue": "Yes", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]" + }, + { + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esIdentitySub", + "label": "Management subscription" + } + ], + "visible": "[and(not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single')), equals(steps('esIdentityGoalState').identitySub,'Yes'))]" + }, + { + "name": "esIdentityGovSection", + "type": "Microsoft.Common.Section", + "label": "Identity Governance", + "elements": [], + "visible": true + }, + { + "name": "identitypolicies", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the the recommended policies you will assign to your identity management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "esIdDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdDenySubnetNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdDenyPublicIp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of public IP", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]" + }, + { + "name": "esIdAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdentityConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('esIdentityGoalState').identitySub, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + }, + { + "name": "esIdentityCidr", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.110.0.0/24", + "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-9]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." + } + ] + }, + "visible": "[and(equals(steps('esIdentityGoalState').esIdentityConnectivity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + } + ] + }, + { + "name": "esPlayground", + "label": "Playground", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "playExplore", + "elements": [ + { + "name": "playgroundInfo", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "To accelerate innovation and transformation, subscriptions can be moved into the playground management group, completely separated from everything else where developers can explore Azure services, collaborate, and innovate quicker in a safe and reliable way. Further, subscriptions in Playground management group can be used to expedite service enablement, to validate Azure services against best practices such as Microsoft Cloud Security Benchmark to ensure they can meet the compliance before being deployed to a landing zone.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "playgroundText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to playground management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "playgroundApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "playgroundSub", + "type": "Microsoft.Common.DropDown", + "label": "Playground subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(filter(steps('esPlayground').playgroundApi.value, (sub) => equals(sub.state, 'Enabled')), (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + }, + { + "name": "playgroundPolicySection", + "type": "Microsoft.Common.Section", + "label": "Assign recommended Azure policies for playground subscriptions", + "elements": [] + }, + { + "name": "playgroundPolicyText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the recommended policies you will assign to your playground subscriptions. The policies listed here will ensure that the boundaries between playground and landing zones can be crossed.", + "link": { + "label": "Learn more", + "uri": "https://placeholder.com" + } + } + }, + { + "name": "vnetPeeringPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent any Virtual Network Peering to and from the playground subscriptions", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your playground resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "budgetPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure there is a budget associated with each playground subscription to control cost", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your playground resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "budgetAmount", + "type": "Microsoft.Common.Slider", + "min": 1000, + "max": 10000, + "label": "Specify monthly budget amount (subject to your currency)", + "subLabel": "", + "defaultValue": 1000, + "showStepMarkers": false, + "toolTip": "Select amount for the budget policy.", + "constraints": { + "required": false + }, + "visible": "[equals(steps('esPlayground').budgetPolicy, 'Yes')]" + }, + { + "name": "vnicPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent network interfaces to have public IPs", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent usage of public IP for network interfaces", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ] + }, + { + "name": "lzGoalState", + "label": "Landing Zones", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "FSI Landing Zones enables secure by-default landing zones for workloads categorized as corp connected (e.g., connected to corporate network and enforcing private endpoints), cloud-native (e.g., workloads that can not communicate with the connectivity hub).", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", + "style": "Info" + } + }, + { + "name": "corpLz", + "type": "Microsoft.Common.Section", + "label": "Corp landing zones", + "visible": true, + "elements": [ + { + "name": "corpText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to corp management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "esLzConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Connect corp landing zones to the connectivity hub during the deployment (optional)?", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esConnectivityGoalState').esHub, 'vhub')]" + }, + { + "name": "lzCorpSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esCorpLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Corp landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[or(or(equals(steps('lzGoalState').corpLz.esLzConnectivity, 'No'), equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esHub, 'vwan'), equals(steps('lzGoalState').corpLz.esLzConnectivity, 'No'))]", + "constraints": { + "allowedValues": "[map(filter(steps('lzGoalState').corpLz.lzCorpSubsApi.value, (sub) => equals(sub.state, 'Enabled')), (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + }, + { + "name": "lzConnectedSubs", + "type": "Microsoft.Common.EditableGrid", + "ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering", + "label": "Corp connected landing zone subscriptions (optional)", + "visible": "[equals(steps('lzGoalState').corpLz.esLzConnectivity, 'Yes')]", + "constraints": { + "width": "Full", + "rows": { + "count": { + "min": 1, + "max": 10 + } + }, + "columns": [ + { + "id": "subs", + "header": "Subscription", + "width": "1fr", + "element": { + "name": "esLzConnectedSub", + "type": "Microsoft.Common.DropDown", + "label": "Landing zone subscription", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": false, + "constraints": { + "allowedValues": "[map(steps('lzGoalState').corpLz.lzSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + } + }, + { + "id": "addresses", + "header": "Virtual Network Address space", + "width": "1fr", + "element": { + "type": "Microsoft.Common.TextBox", + "placeholder": "Ensure there are no overlapping IP addresses!", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + } + } + ] + } + }, + { + "name": "lzSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + } + ] + }, + { + "name": "onlineLz", + "type": "Microsoft.Common.Section", + "label": "Cloud-native landing zones", + "visible": true, + "elements": [ + { + "name": "onlineText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to the cloud-native management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "lzOnlineSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esOnlineLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Cloud-native landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(filter(steps('lzGoalState').onlineLz.lzOnlineSubsApi.value, (sub) => equals(sub.state, 'Enabled')), (sub) => parse(concat('{\"label\":\"',sub.displayName,'\",\"description\":\"',sub.subscriptionId,'\",\"value\":\"',toLower(sub.subscriptionId),'\"}')))]", + "required": false + } + } + ] + } + ] + } + ] + }, + "outputs": { + "parameters": { + "industry": "fsi", + "subnetMaskForGw": "[steps('esConnectivityGoalState').esAddressVpnOrEr]", + "subnetMaskForAzFw": "[steps('esConnectivityGoalState').esAddressFw]", + "enableErGw": "[steps('esConnectivityGoalState').esErGw]", + "enableVpnGw": "[steps('esConnectivityGoalState').esVpnGw]", + "enableHub": "[steps('esConnectivityGoalState').esHub]", + "enableDdoS": "[steps('esConnectivityGoalState').nwSecurity.esDdoS]", + "connectivitySubscriptionId": "[if(not(equals(steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,'')]", + "enableAzFw": "[steps('esConnectivityGoalState').esAzFw]", + "enableAzFwDnsProxy": "[steps('esConnectivityGoalState').esAzFwDns]", + "addressPrefix": "[coalesce(steps('esConnectivityGoalState').esAddressHubVWAN, steps('esConnectivityGoalState').esAddressHubHS, '')]", + "location": "[steps('esConnectivityGoalState').esNwLocation]", + "managementSubscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", + "identitySubscriptionId": "[if(or(not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,'')]", + "onlineLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').onlineLz.esOnlineLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').onlineLz.esOnlineLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').onlineLz.esOnlineLzSub,'')]", + "corpLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.esCorpLzSub,'')]", + "enableLogAnalytics": "[steps('esGoalState').azMonSection.esLogAnalytics]", + "enableMcsbPolicy": "[steps('esGovState').mcsbPolicy]", + "denyRdpForIdentity": "[steps('esIdentityGoalState').esIdDenyRdp]", + "denySubnetWithoutNsgForIdentity": "[steps('esIdentityGoalState').esIdDenySubnetNsg]", + "denyPipForIdentity": "[steps('esIdentityGoalState').esIdDenyPublicIp]", + "enableVmBackupForIdentity": "[steps('esIdentityGoalState').esIdAzBackup]", + "enableDefenderEndpoint": "[steps('esGovState').defenderEndpoint]", + "enableAsc": "[steps('esGovState').esAsc]", + "emailContactAsc": "[steps('esGovState').esAscEmail]", + "enableAscForServers": "[steps('esGovState').esAscVms]", + "enableAscForCSPM": "[steps('esGovState').esAscCSPM]", + "enableAscForCosmosDb": "[steps('esGovState').esAscCosmosDb]", + "enableAscForSynapse": "[steps('esGovState').esAscSynapse]", + "enableAscForOssDb": "[steps('esGovState').esAscOssDb]", + "enableAscForAppServices": "[steps('esGovState').esAscApps]", + "enableAscForStorage": "[steps('esGovState').esAscStorage]", + "enableAscForSql": "[steps('esGovState').esAscSql]", + "enableAscForSqlOnVm": "[steps('esGovState').esAscSqlOnVm]", + "enableAscForKeyVault": "[steps('esGovState').esAscKeyVault]", + "enableAscForArm": "[steps('esGovState').esAscArm]", + "enableAscForDns": "[steps('esGovState').esAscDns]", + "enableAscForContainers": "[steps('esGovState').esAscContainers]", + "enableSecuritySolution": "[steps('esGovState').esSecuritySolution]", + "enableAgentHealth": "[steps('esGoalState').azMonSection.esAgentSolution]", + "enableChangeTracking": "[steps('esGoalState').azMonSection.esChangeTracking]", + "enableUpdateMgmt": "[steps('esGoalState').azMonSection.esUpdateMgmt]", + "enableActivityLog": "[steps('esGoalState').azMonSection.esActivityLog]", + "enableVmInsights": "[steps('esGoalState').azMonSection.esVmInsights]", + "enableServiceMap": "[steps('esGoalState').azMonSection.esServiceMap]", + "dataExports": "[steps('esGoalState').azMonSection.esEventHubDataExports]", + "denyVnetPeering": "[steps('esPlayground').vnetPeeringPolicy]", + "enableBudget": "[steps('esPlayground').budgetPolicy]", + "budgetAmount": "[string(steps('esPlayground').budgetAmount)]", + "playgroundSubscriptionId": "[steps('esPlayground').playgroundSub]", + "enableSqlAssessment": "[steps('esGoalState').azMonSection.esSqlAssessment]", + "industryPrefix": "[steps('lzSettings').mgSection.esMgmtGroup]", + "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "firewallSku": "[steps('esConnectivityGoalState').esAzFwSku]", + "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", + "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", + "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", + "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", + "erAzSku": "[steps('esConnectivityGoalState').esErAzSku]", + "erRegionalSku": "[if(empty(steps('esConnectivityGoalState').esErRegionalSku), steps('esConnectivityGoalState').esErNoAzSku, steps('esConnectivityGoalState').esErRegionalSku)]", + "singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]", + "retentionInDays": "[string(steps('esGoalState').azMonSection.esLogRetention)]", + "expressRouteScaleUnit": "[steps('esConnectivityGoalState').esVwanErScaleUnits]", + "vpnGateWayScaleUnit": "[steps('esConnectivityGoalState').esVwanGwScaleUnits]", + "enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]", + "identityAddressPrefix": "[steps('esIdentityGoalState').esIdentityCidr]", + "enableNetworkWatcher": "[steps('esConnectivityGoalState').nwSecurity.esNetworkWatcher]", + "enableNsgFlowLogs": "[steps('esConnectivityGoalState').nwSecurity.esNsgFlowLogs]", + "enableAvnm": "[steps('esConnectivityGoalState').anmSection.anmOption]", + "compliantAzureServices": "[steps('esGovState').secureSvc]", + "enablePrivateDnsResolver": "[steps('esConnectivityGoalState').esPrivateDnsResolver]", + "subnetMaskForDnsResolverInbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound]", + "subnetMaskForDnsResolverOutbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound]", + "ingressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionIngress.esNwIngress.subscriptionId]", + "egressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionEgress.esNwEgress.subscriptionId]", + "addressPrefixIngress": "[steps('esConnectivityGoalState').esAddressIngress]", + "addressPrefixEgress": "[steps('esConnectivityGoalState').esAddressEgress]", + "enableAzFwIngress": "[steps('esConnectivityGoalState').esAzFwIngress]", + "enableAzFwEgress": "[steps('esConnectivityGoalState').esAzFwEgress]", + "subnetMaskForAzFwIngress": "[steps('esConnectivityGoalState').esAddressFwIngress]", + "subnetMaskForAzFwEgress": "[steps('esConnectivityGoalState').esAddressFwEgress]", + "firewallSkuIngress": "[steps('esConnectivityGoalState').esAzFwSkuIngress]", + "firewallSkuEgress": "[steps('esConnectivityGoalState').esAzFwSkuEgress]", + "firewallZonesIngress": "[steps('esConnectivityGoalState').esFwAzIngress]", + "firewallZonesEgress": "[steps('esConnectivityGoalState').esFwAzEgress]", + "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.lzConnectedSubs,'')]" + }, + "kind": "Tenant", + "location": "[steps('basics').resourceScope.location.name]" + } + } +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json new file mode 100644 index 00000000..12978f3b --- /dev/null +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -0,0 +1,5716 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "industry": { + "type": "string", + "allowedValues": [ + "fsi", + "telco" + ], + "metadata": { + "description": "Azure Portal UX to determine which industry cloud foundation to be deployed" + } + }, + "industryPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "managementSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for management. If you don't want to bring a subscription, leave this parameter empty as is." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for networking." + } + }, + "ingressSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for ingress." + } + }, + "egressSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for egress." + } + }, + "identitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for identity." + } + }, + "denySubnetWithoutNsgForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "denyRdpForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "denyPipForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "enableVmBackupForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "playgroundSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move into your playground management group." + } + }, + "onlineLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones." + } + }, + "corpLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones." + } + }, + "corpConnectedLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub." + } + }, + "enableLogAnalytics": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "retentionInDays": { + "type": "string", + "defaultValue": "" + }, + "enableMcsbPolicy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "descriptione": "If 'Yes' is selected, Microsoft Cloud Security Benchmark policy initiative will be assigned at the intermediate root management group, providing all-up governance view for FSI Landing Zones." + } + }, + "enableAsc": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "emailContactAsc": { + "type": "string", + "metadata": { + "description": "Email address for Azure Security Center contact details." + }, + "defaultValue": "" + }, + "enableAscForServers": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForCSPM": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForCosmosDb": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForSynapse": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForAppServices": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForStorage": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForSql": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForSqlOnVm": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForKeyVault": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForArm": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForDns": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForContainers": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForOssDb": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableDefenderEndpoint": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce Defender for Endpoint" + } + }, + "enableSecuritySolution": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableAgentHealth": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableChangeTracking": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableUpdateMgmt": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableActivityLog": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableVmInsights": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableServiceMap": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableSqlAssessment": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "addressPrefix": { + "type": "string", + "defaultValue": "" + }, + "addressPrefixIngress": { + "type": "string", + "defaultValue": "" + }, + "addressPrefixEgress": { + "type": "string", + "defaultValue": "" + }, + "enableVpnGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableErGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "vwan", + "nva", + "No" + ], + "defaultValue": "No" + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwIngress": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwEgress": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "enablePrivateDnsZones": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForAzFwIngress": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForAzFwEgress": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForGw": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForDnsResolverInbound": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForDnsResolverOutbound": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "gwAzSku": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "erAzSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallSkuIngress": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallSkuEgress": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallZones": { + "type": "array", + "defaultValue": [] + }, + "firewallZonesIngress": { + "type": "array", + "defaultValue": [] + }, + "firewallZonesEgress": { + "type": "array", + "defaultValue": [] + }, + "singlePlatformSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36 + }, + "expressRouteScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "vpnGateWayScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "identityAddressPrefix": { + "type": "string", + "defaultValue": "" + }, + "denyVnetPeering": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "No", + "Yes" + ] + }, + "enableBudget": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "budgetAmount": { + "type": "string", + "defaultValue": "1000" + }, + "enableNetworkWatcher": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableNsgFlowLogs": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableAvnm": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "compliantAzureServices": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Select the Azure service(s) that should be secure by-default" + } + }, + "dataExports": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Select the Log Analytics tables that should be exported to event hub." + } + } + }, + "variables": { + // Declaring the prescriptive structure for FSI Landing Zones + "mgmtGroups": { + "industryRoot": "[parameters('industryPrefix')]", + "platform": "[concat(parameters('industryPrefix'), '-', 'platform')]", + "management": "[concat(parameters('industryPrefix'), '-', 'management')]", + "connectivity": "[concat(parameters('industryPrefix'), '-', 'connectivity')]", + "identity": "[concat(parameters('industryPrefix'), '-', 'identity')]", + "playground": "[concat(parameters('industryPrefix'), '-', 'playground')]", + "lzs": "[concat(parameters('industryPrefix'), '-', 'landingzones')]", + "corp": "[concat(parameters('industryPrefix'), '-', 'corp')]", + "online": "[concat(parameters('industryPrefix'), '-', 'cloud-native')]" + }, + // Declaring scopes that will be used for ARM deployments + "scopes": { + "industryRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').industryRoot)]", + "platformManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').platform)]", + "managementManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').management)]", + "connectivityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').connectivity)]", + "identityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').identity)]", + "playgroundManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').playground)]", + "lzsManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", + "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", + "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" + }, + // Declaring all required deployment uri's used for deployments of composite ARM templates for FSI. As you can see, it's been quite an effort :-) + "azPrivateDnsPolicyMapping": { + "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json", + "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxDINE-PrivateDNSZonesPolicySetDefinition.json" + }, + "azPrivateDnsArmTemplate": "[variables('azPrivateDnsPolicyMapping')[environment().resourceManager]]", + "azPublicEndpointsPolicyMapping": { + "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json", + "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxDENY-PublicEndpointsPolicySetDefinition.json" + }, + "azPublicEndpointArmTemplate": "[variables('azPublicEndpointsPolicyMapping')[environment().resourceManager]]", + "azPolicyPoliciesMapping": { + "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/policies.json", + "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxPolicies.json" + }, + "azPolicyArmTemplate": "[variables('azPolicyPoliciesMapping')[environment().resourceManager]]", + "deploymentUris": { + "managementGroups": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", + "allowedRegionsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json')]", + "allowedRgRegionsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json')]", + "customRbacRoleDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json')]", + "policyIdentity": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/policyIdentity.json')]", + "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", + "policyDefinitions": "[uri(deployment().properties.templateLink.uri, variables('azPolicyArmTemplate'))]", + "compliantCorpLzPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json')]", + "compliantCorpLzPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json')]", + "compliantApiMPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json')]", + "compliantApimPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json')]", + "compliantAppServicePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json')]", + "compliantAppServicePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json')]", + "compliantAutomationPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json')]", + "compliantAutomationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json')]", + "compliantBackupPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json')]", + "compliantBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json')]", + "compliantComputePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json')]", + "compliantComputePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json')]", + "compliantContainerAppsPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json')]", + "compliantContainerAppsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json')]", + "compliantContainerInstancePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json')]", + "compliantContainerInstancePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json')]", + "compliantContainerRegistryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json')]", + "compliantContainerRegistryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json')]", + "compliantCosmosDbPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json')]", + "compliantCosmosDbPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json')]", + "compliantDataExplorerPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json')]", + "compliantDataExplorerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json')]", + "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", + "compliantDataFactoryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json')]", + "compliantEventGridPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json')]", + "compliantEventGridPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json')]", + "compliantEventHubPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json')]", + "compliantEventHubPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json')]", + "compliantKeyVaultPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json')]", + "compliantKeyVaultPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json')]", + "compliantKubernetesPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json')]", + "compliantKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json')]", + "compliantMachineLearningPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json')]", + "compliantMachineLearningPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json')]", + "compliantNetworkPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json')]", + "compliantNetworkPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json')]", + "compliantOpenAiPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json')]", + "compliantOpenAiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json')]", + "compliantPostgrePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json')]", + "compliantPostgrePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json')]", + "compliantServiceBusPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json')]", + "compliantServiceBusPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json')]", + "compliantSQLPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json')]", + "compliantSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json')]", + "compliantStoragePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json')]", + "compliantStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json')]", + "compliantSynapsePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json')]", + "compliantSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json')]", + "compliantVirtualDesktopPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json')]", + "compliantVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json')]", + "dataPolicyDefinitions": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/dataPolicies.json')]", + "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/hubspoke-connectivity.json')]", + "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vwan-connectivity.json')]", + "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/nvahubspoke-connectivity.json')]", + "ingressAndEgress": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/ingress-egress.json')]", + "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]", + "monitoring": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logAnalyticsWorkspace.json')]", + "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/resourceGroup.json')]", + "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'core/resourceGroupTemplates/ddosProtection.json')]", + "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", + "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logAnalyticsSolutions.json')]", + "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", + "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", + "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", + "ascConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json')]", + "defenderEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json')]", + "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", + "azPolicyForKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", + "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", + "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", + "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", + "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", + "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", + "publicEndpointPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPublicEndpointArmTemplate'))]", + "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", + "privateDnsZonePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPrivateDnsArmTemplate'))]", + "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json')]", + "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", + "rdpFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json')]", + "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", + "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", + "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", + "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", + "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", + "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vnetPeering.json')]", + "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vnetPeeringVwan.json')]", + "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'core/resourceGroupTemplates/privateDnsZones.json')]", + "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/roleAssignments/roleAssignment.json')]", + "databricksSku": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json')]", + "databricksPip": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json')]", + "databricksCluster": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json')]", + "govAscPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/gov/fairfaxDINE-ASCConfigPolicyAssignment.json')]", + "logStorageAccount": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logStorageAccount.json')]", + "nwDeployment": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/networkWatcher.json')]", + "nsgFlowLogPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json')]", + "nsgFlowLogPolicyExemption": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyExemptions/EXEMPT-NSGFlowLogStAcc.json')]", + "sshFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json')]", + "denyVnetPeeringPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json')]", + "budgetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json')]", + "appGwWithoutWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json')]", + "appGwWithouthFwPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json')]", + "wafWithoutFdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-WafWithoutFrontDoorEntryPointPolicyAssignment.json')]", + "fdWithoutWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json')]", + "openAiLocalAuthPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json')]", + "openAiMiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json')]", + // Telco industry + "erHaPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'telco/managementGroupTemplates/policyAssignments/DENY-non-ha-expressRoutes-policyAssignment.json')]", + "pipHaPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'telco/managementGroupTemplates/policyAssignments/DENY-non-ha-publicIps-policyAssignment.json')]" + }, + // Declaring deterministic deployment names + "deploymentSuffix": "[concat('-', deployment().location, guid(parameters('industryPrefix')))]", + "deploymentNames": { + "mgmtGroupDeploymentName": "[take(concat(parameters('industry'), '-Mgs', variables('deploymentSuffix')), 64)]", + "customRbacDeploymentName": "[take(concat(parameters('industry'), '-RoleDefinitions', variables('deploymentSuffix')), 64)]", + "allowedRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-Regions', variables('deploymentSuffix')), 64)]", + "allowedRgRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-RG-Regions', variables('deploymentSuffix')), 64)]", + "compliantCorpLzDeploymentName": "[take(concat(parameters('industry'), '-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", + "compliantApimDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceDeploymentName": "[take(concat(parameters('industry'), '-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantAutomationDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Automation', variables('deploymentSuffix')), 64)]", + "compliantBackupDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantComputeDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbDeploymentName": "[take(concat(parameters('industry'), '-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerDeploymentName": "[take(concat(parameters('industry'), '-Compliant-DataExplorer', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryDeploymentName": "[take(concat(parameters('industry'), '-Compliant-DataFactory', variables('deploymentSuffix')), 64)]", + "compliantEventGridDeploymentName": "[take(concat(parameters('industry'), '-Compliant-EventGrid', variables('deploymentSuffix')), 64)]", + "compliantEventHubDeploymentName": "[take(concat(parameters('industry'), '-Compliant-EventHub', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultDeploymentName": "[take(concat(parameters('industry'), '-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantKubernetesDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), '-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Network', variables('deploymentSuffix')), 64)]", + "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), '-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Postgre', variables('deploymentSuffix')), 64)]", + "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", + "compliantSqlDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Sql', variables('deploymentSuffix')), 64)]", + "compliantStorageDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Storage', variables('deploymentSuffix')), 64)]", + "compliantSynapseDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "compliantVirtualDesktopDeploymentName": "[take(concat(parameters('industry'), '-Compliant-AVD', variables('deploymentSuffix')), 64)]", + "mgmtSubscriptionPlacement": "[take(concat(parameters('industry'), '-MgmtSub', variables('deploymentSuffix')), 64)]", + "policyIdentityDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentity', variables('deploymentSuffix')), 64)]", + "policyIdentityRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityRoleAssignment', variables('deploymentSuffix')), 64)]", + "databricksSkuDeploymentName": "[take(concat(parameters('industry'), '-DBSku', variables('deploymentSuffix')), 64)]", + "databricksPipDeploymentName": "[take(concat(parameters('industry'), '-DBPip', variables('deploymentSuffix')), 64)]", + "databricksClusterDeploymentName": "[take(concat(parameters('industry'), '-DBCluster', variables('deploymentSuffix')), 64)]", + "corpPeeringDeploymentName": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 60)]", + "connectivitySubscriptionPlacement": "[take(concat(parameters('industry'), '-ConnectivitySub', variables('deploymentSuffix')), 64)]", + "ingressSubscriptionPlacement": "[take(concat(parameters('industry'), '-IngressSub', variables('deploymentSuffix')), 64)]", + "egressSubscriptionPlacement": "[take(concat(parameters('industry'), '-EgressSub', variables('deploymentSuffix')), 64)]", + "identitySubscriptionPlacement": "[take(concat(parameters('industry'), '-IdentitySub', variables('deploymentSuffix')), 64)]", + "policyDeploymentName": "[take(concat(parameters('industry'), '-Policy', variables('deploymentSuffix')), 64)]", + "dataPolicyDeploymentName": "[take(concat(parameters('industry'),'-Data-Policy', variables('deploymentSuffix')), 64)]", + "ddosRgDeploymentName": "[take(concat(parameters('industry'), '-DDoSRg', variables('deploymentSuffix')), 64)]", + "ddosDeploymentName": "[take(concat(parameters('industry'), '-DDoS', variables('deploymentSuffix')), 64)]", + "ddosHubPolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", + "cmkPolicyDeploymentName": "[take(concat(parameters('industry'), '-CMKPolicy', variables('deploymentSuffix')), 64)]", + "cmkPolicyAssignmentDeploymentName": "[take(concat(parameters('industry'), '-CMKPolicyAssignment', variables('deploymentSuffix')), 64)]", + "ddosLzPolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", + "monitoringDeploymentName": "[take(concat(parameters('industry'), '-Monitoring', variables('deploymentSuffix')), 64)]", + "logAnalyticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-LAPolicy', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsDeploymentName": "[take(concat(parameters('industry'), '-Solutions', variables('deploymentSuffix')), 64)]", + "asbPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASB', variables('deploymentSuffix')), 64)]", + "resourceDiagnosticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", + "activityDiagnosticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", + "ascPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASC', variables('deploymentSuffix')), 64)]", + "ascGovPolicyDeploymentName": "[take(concat(parameters('industry'), '-Gov-ASC', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-HubSpoke', variables('deploymentSuffix')), 64)]", + "ingressDeploymentName": "[take(concat(parameters('industry'), '-Ingress', variables('deploymentSuffix')), 64)]", + "egressDeploymentName": "[take(concat(parameters('industry'), '-Egress', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-VWanHub', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-NVAHub', variables('deploymentSuffix')), 64)]", + "azVmMonitorPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzVmMonitor', variables('deploymentSuffix')), 64)]", + "defenderEndpointPolicyDeploymentName": "[take(concat(parameters('industry'), '-DefenderEndpoint', variables('deploymentSuffix')), 64)]", + "azVmssMonitorPolicyDeploymentName": "[take(concat(parameters('industry'),'-AzVmssMonitor', variables('deploymentSuffix')), 64)]", + "azBackupLzPolicyDeploymentName": "[take(concat(parameters('industry'),'-AzBackupLz', variables('deploymentSuffix')), 64)]", + "azBackupIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "azPolicyForAksPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPolicy', variables('deploymentSuffix')), 64)]", + "aksPrivEscalationPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPrivEsc', variables('deploymentSuffix')), 64)]", + "aksHttpsPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksHttps', variables('deploymentSuffix')), 64)]", + "aksPrivilegedPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPrivileged', variables('deploymentSuffix')), 64)]", + "tlsSslPolicyDeploymentName": "[take(concat(parameters('industry'), '-TLSSSL', variables('deploymentSuffix')), 64)]", + "ipFwPolicyDeploymentName": "[take(concat(parameters('industry'), '-IPFwd', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDeploymentName": "[take(concat(parameters('industry'), '-PEndpoint', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDefinitionName": "[take(concat(parameters('industry'), '-Policy-PEndpoints', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDefinitionName": "[take(concat(parameters('industry'), '-Policy-PrivateDns', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", + "pipPolicyDeploymentName": "[take(concat(parameters('industry'), '-PIP', variables('deploymentSuffix')), 64)]", + "rdpFromInternetPolicyDeploymentName": "[take(concat(parameters('industry'), '-RDP', variables('deploymentSuffix')), 64)]", + "sshFromInternetPolicyDeploymentName": "[take(concat(parameters('industry'), '-SSH', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-RDPIdentity', variables('deploymentSuffix')), 64)]", + "storageHttpsPolicyDeploymentName": "[take(concat(parameters('industry'), '-StorageHttps', variables('deploymentSuffix')), 64)]", + "subnetNsgPolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsg', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "playgroundSubs": "[take(concat(parameters('industry'), '-Playground', variables('deploymentSuffix')), 60)]", + "onlineLzSubs": "[take(concat(parameters('industry'), '-OnlineLzs', variables('deploymentSuffix')), 60)]", + "corpLzSubs": "[take(concat(parameters('industry'), '-CorpLzs', variables('deploymentSuffix')), 60)]", + "corpConnectedMoveLzSubs": "[take(concat(parameters('industry'), '-CorpConnLzs', variables('deploymentSuffix')), 50)]", + "corpConnectedLzSubs": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 50)]", + "privateDnsZoneRgDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSRG', variables('deploymentSuffix')), 64)]", + "privateDnsZonesDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSZones', variables('deploymentSuffix')), 35)]", + "dnsZoneRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-DNSZoneRole', variables('deploymentSuffix')), 64)]", + "dnsZoneOperatorRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-DNSZoneOperatorRole', variables('deploymentSuffix')), 64)]", + "nsgFLowLogRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-NSGFlowRole', variables('deploymentSuffix')), 64)]", + "identityPeeringDeploymentName": "[take(concat(parameters('industry'), '-IDPeering', variables('deploymentSuffix')), 64)]", + "identityVwanPeeringDeploymentName": "[take(concat(parameters('industry'), '-IDVwanPeering', variables('deploymentSuffix')), 64)]", + "corpConnectedLzVwanSubs": "[take(concat(parameters('industry'), '-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", + "logStorageDeploymentName": "[take(concat(parameters('industry'), '-LogStorage', variables('deploymentSuffix')), 64)]", + "nwDeploymentName": "[take(concat(parameters('industry'), '-NwPlatform', variables('deploymentSuffix')), 64)]", + "nwRgLzPolicyAssignment": "[take(concat(parameters('industry'), '-NwRgLz', variables('deploymentSuffix')), 64)]", + "nsgFlowLogsPlatformPolicyAssignment": "[take(concat(parameters('industry'), '-NSGFlowPlatform', variables('deploymentSuffix')), 64)]", + "nsgFLowLogsLzPolicyAssignment": "[take(concat(parameters('industry'), '-NSGFlowLz', variables('deploymentSuffix')), 64)]", + "nsgFlowLogPolicyExemption": "[take(concat(parameters('industry'), '-NSGExempt', variables('deploymentSuffix')), 64)]", + "denyVnetPeeringDeploymentName": "[take(concat(parameters('industry'), '-VNetPeering', variables('deploymentSuffix')), 64)]", + "budgetDeploymentName": "[take(concat(parameters('industry'), '-Budget', variables('deploymentSuffix')), 64)]", + // Compliant Azure Service Policy Assignment deployment names + "compliantCorpLzAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", + "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", + "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", + "compliantComputeAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADE', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADF', variables('deploymentSuffix')), 64)]", + "compliantEventGridAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EG', variables('deploymentSuffix')), 64)]", + "compliantEventHubAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EH', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantOpenAiAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Postgre', variables('deploymentSuffix')), 64)]", + "compliantSqlAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-SQL', variables('deploymentSuffix')), 64)]", + "compliantSynapseAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantServiceBusAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", + "compliantKubernetesAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantStorageAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Storage', variables('deploymentSuffix')), 64)]", + "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantVirtualDesktopAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AVD', variables('deploymentSuffix')), 64)]", + // Telco specific policies assignment deployments + "erHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaEr', variables('deploymentSuffix')), 64)]", + "pipHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaPip', variables('deploymentSuffix')), 64)]", + "privateDnsOperatorPolicyDeploymentName": "[take(concat(parameters('industry'), '-PrivateDNSOperator',variables('deploymentSuffix')), 64)]" + }, + "esLiteDeploymentNames": { + "mgmtGroupLiteDeploymentName": "[take(concat(parameters('industry'), '-MgsLite', variables('deploymentSuffix')), 64)]", + "policyIdentityLiteDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityLite', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-RDPIdentity', variables('deploymentSuffix')), 64)]", + "azBackupIdentityLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "monitoringLiteDeploymentName": "[take(concat(parameters('industry'), '-MonitoringLite', variables('deploymentSuffix')), 64)]", + "logAnalyticsLitePolicyDeploymentName": "[take(concat(parameters('industry'),'-LAPolicyLite', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsLiteDeploymentName": "[take(concat(parameters('industry'), '-SolutionsLite', variables('deploymentSuffix')), 64)]", + "platformLiteSubscriptionPlacement": "[take(concat(parameters('industry'), '-PlatformSubLite', variables('deploymentSuffix')), 64)]", + "logLiteStorageDeploymentName": "[take(concat(parameters('industry'), '-LogStorageLite', deployment().location, '-', deployment().name), 64)]", + "vnetConnectivityHubLiteDeploymentName": "[take(concat(parameters('industry'), '-VnetHubLite', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubLiteDeploymentName": "[take(concat(parameters('industry'), '-VWanHubLite', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubLiteDeploymentName": "[take(concat(parameters('industry'), '-NVAHubLite', variables('deploymentSuffix')), 64)]", + "ddosRgLiteDeploymentName": "[take(concat(parameters('industry'), '-DDoSRgLite', variables('deploymentSuffix')), 64)]", + "ddosLiteDeploymentName": "[take(concat(parameters('industry'), '-DDoSLite', variables('deploymentSuffix')), 64)]", + "ddosHubLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", + "privateDnsZoneRgLiteDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", + "privateDnsZonesLiteDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSLite', variables('deploymentSuffix')), 35)]", + "nwLiteDeploymentName": "[take(concat(parameters('industry'), '-NwPlatform', deployment().location, '-', deployment().name), 64)]" + + }, + // Declaring deterministic names for Resource Groups that will be created for platform resources + "platformRgNames": { + "mgmtRg": "[concat(parameters('industryPrefix'), '-mgmt')]", + "userAssignedIdentity": "[concat(parameters('industryPrefix'), '-policy-identity')]", + "connectivityRg": "[concat(parameters('industryPrefix'), '-vnethub-', parameters('location'))]", + "ddosRg": "[concat(parameters('industryPrefix'), '-ddos')]", + "privateDnsRg": "[concat(parameters('industryPrefix'), '-privatedns')]", + "identityVnetRg": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]", + "lzVnetRg": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]", + "logNwRg": "[concat(parameters('industryPrefix'), '-nwlog-', parameters('location'))]" + }, + // Declaring deterministic names for platform resources that will be created + "platformResourceNames": { + "logAnalyticsWorkspace": "[concat(parameters('industryPrefix'), '-law')]", + "eventHubNamespace": "[concat(parameters('industryPrefix'), '-ehn-', parameters('location'))]", + "userAssignedIdentityName": "[concat(parameters('industryPrefix'), '-policy-identity')]", + "logNwStorageAccount": "[toLower(take(concat(parameters('industryPrefix'), parameters('location'), uniqueString(deployment().name)), 23))]", + "automationAccount": "[concat(parameters('industryPrefix'), '-aauto')]", + "vpnGwName": "[concat(parameters('industryPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('industryPrefix'), '-ergw-', parameters('location'))]", + "ddosName": "[concat(parameters('industryPrefix'), '-ddos-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('industryPrefix'), '-azfwpolicy-', parameters('location'))]", + "azFwName": "[concat(parameters('industryPrefix'), '-fw-', parameters('location'))]", + "azErGwIpName": "[concat(parameters('industryPrefix'), '-erpip-', parameters('location'))]", + "hubName": "[concat(parameters('industryPrefix'), '-hub-', parameters('location'))]", + "vwanName": "[concat(parameters('industryPrefix'), '-vwan-', parameters('location'))]", + "azVpnGwIpName": "[concat(parameters('industryPrefix'), '-gwpip-', parameters('location'))]", + "azFwIpName": "[concat(parameters('industryPrefix'), '-fwpip-', parameters('location'))]", + "identityVnet": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]", + "lzVnet": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]" + }, + // Declaring deterministic resourceId's for platform resources that will be created + "singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]", + "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]", + "singleVsDedicatedIdentitySub": "[if(empty(parameters('identitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('identitySubscriptionId'))]", + "platformResourceIds": { + "userAssignedIdentityResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').userAssignedIdentity, '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('platformResourceNames').userAssignedIdentityName)]", + "logStorageResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').logNwRg, '/providers/Microsoft.Storage/storageAccounts/', variables('platformResourceNames').logNwStorageAccount)]", + "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]", + "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", + "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]", + "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]", + "vWanHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubName)]", + "privateDnsRgResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').privateDnsRg)]", + "azFirewallResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwName)]" + }, + // Declaring deterministic resourceId's for ES Lite platform resources (as they will be consolidated into a single platform subscription) + "deterministicRoleAssignmentGuids": { + "ddosForConnectivity": "[take(guid(concat(parameters('industryPrefix'), 'ddos')), 10)]", + "backupForIdentity": "[take(guid(concat(parameters('industryPrefix'), 'idbackup')), 10)]" + }, + "privateDnsZones": [ + "privatelink.azure-automation.net", + "privatelink.database.windows.net", + "privatelink.sql.azuresynapse.net", + "privatelink.blob.core.windows.net", + "privatelink.table.core.windows.net", + "privatelink.queue.core.windows.net", + "privatelink.file.core.windows.net", + "privatelink.web.core.windows.net", + "privatelink.dfs.core.windows.net", + "privatelink.documents.azure.com", + "privatelink.mongo.cosmos.azure.com", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.postgres.database.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.mariadb.database.azure.com", + "privatelink.vaultcore.azure.net", + "privatelink.datafactory.azure.net", + "[concat('privatelink.', parameters('location'), '.azmk8s.io')]", + "privatelink.search.windows.net", + "privatelink.azurecr.io", + "privatelink.azconfig.io", + "[concat('privatelink.', parameters('location'), '.backup.windowsazure.com')]", + "privatelink.siterecovery.windowsazure.com", + "privatelink.servicebus.windows.net", + "privatelink.azure-devices.net", + "privatelink.eventgrid.azure.net", + "privatelink.azurewebsites.net", + "privatelink.api.azureml.ms", + "privatelink.notebooks.azure.net", + "privatelink.service.signalr.net", + "privatelink.cognitiveservices.azure.com", + "[concat(parameters('location'), '.privatelink.afs.azure.net')]", + "privatelink.datafactory.azure.com", + "privatelink.adf.azure.com", + "privatelink.redis.cache.windows.net", + "privatelink.dev.azuresynapse.net", + "privatelink.azuresynapse.net", + "privatelink.table.cosmos.azure.com", + "privatelink.batch.azure.com", + "privatelink.managedhsm.azure.net", + "[concat(parameters('location'), '.privatelink.azurecr.io')]", + "privatelink.azure-devices-provisioning.net", + "scm.privatelink.azurewebsites.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.digitaltwins.azure.net", + "privatelink.azurehdinsight.net", + "privatelink.his.arc.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.media.azure.net", + "[concat('privatelink.', parameters('location'), '.kusto.windows.net')]", + "privatelink.azurestaticapps.net", + "privatelink.prod.migration.windowsazure.com", + "privatelink.azure-api.net", + "privatelink.developer.azure-api.net", + "privatelink.analysis.windows.net", + "privatelink.pbidedicated.windows.net", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.directline.botframework.com", + "privatelink.token.botframework.com", + "workspace.privatelink.azurehealthcareapis.com", + "fhir.privatelink.azurehealthcareapis.com", + "dicom.privatelink.azurehealthcareapis.com", + "privatelink.wvd.microsoft.com" + ], + "baseId": "[concat(variables('platformResourceIds').privateDnsRgResourceId, '/providers/Microsoft.Network/privateDnsZones/')]", + "privateDnsPolicyParameterMapping": { + "azureSynapsePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.sql.azuresynapse.ne')]", + "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", + "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", + "azureMlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", + "azureMlSecondaryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.notebooks.azure.net')]", + "azureCosmosSqlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.documents.azure.com')]", + "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.net')]", + "azureEventGridPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", + "azureBackupPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.backup.windowsazure.com')]", + "azureBackupBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", + "azureManagedDiskPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", + "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]", + "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]", + "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.io')]", + "azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.siterecovery.windowsazure.com')]", + "azureIotPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices-provisioning.net')]", + "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.net')]", + "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.net')]", + "azureAppServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurewebsites.net')]", + "azureDiskAccessPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureCognitiveServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cognitiveservices.azure.com')]", + "azureIotHubsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]", + "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.windows.net')]", + "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", + "azureContainerRegistryPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.azurecr.io')]", + "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", + "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", + "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", + "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]", + "azureStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureSecondaryStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureStorageTablePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.table.core.windows.net')]", + "azureSecondaryStorageTablePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.table.core.windows.net')]", + "azureStorageQueuePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", + "azureSecondaryStorageQueuePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", + "azureStorageFilePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.file.core.windows.net')]", + "azureSecondaryStorageFilePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.file.core.windows.net')]", + "azureStorageWebPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.web.core.windows.net')]", + "azureSecondaryStorageWebPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.web.core.windows.net')]", + "azureStorageDfsPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]", + "azureSecondaryStorageDfsPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]", + "azureStorageFileSyncPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.afs.azure.net')]", + "azureDesktopVirtualizationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.microsoft.com')]" + + }, + "roleDefinitions": { + "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7", + "contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c" + } + }, + "resources": [ + /* + The following deployment will create the management group structure and ensure the sustainable, scalable architecture + */ + { + // Creating the management group structure + "condition": "[empty(parameters('singlePlatformSubscriptionId'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').mgmtGroupDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroups]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + /* + The following deployments will deploy the required proactive and preventive Azure policies for policy driven governance + */ + { + // Deploying custom policies. Note: all policies will eventually be moved to built-in policies and codebase will be reduced + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying custom Role Definitions. Note: all roleDefinitions will eventually be moved to built-in policies and codebase will be reduced + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').customRbacDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').customRbacRoleDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Corp Lz PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantCorpLzDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCorpLzPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant APIM PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantApimDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantApiMPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant App Service PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantAppServiceDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAppServicePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Automation PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantAutomationDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAutomationPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Backup PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantBackupDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantBackupPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Compute PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantComputeDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantComputePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Container Apps PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantContainerAppsDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerAppsPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Container Instance PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantContainerInstanceDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerInstancePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Container Registry PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantContainerRegistryDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerRegistryPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Cosmos Db PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantCosmosDbDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCosmosDbPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Data Explorer PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantDataExplorerDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataExplorerPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Data Factory PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantDataFactoryDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataFactoryPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Event Grid PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantEventGridDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventGridPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Event Hub PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantEventHubDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventHubPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Key Vault PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantKeyVaultDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKeyVaultPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Kubernetes PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantKubernetesDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKubernetesPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Machine Learning PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantMachineLearningDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantMachineLearningPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Network PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantNetworkDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantNetworkPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Open Ai PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantOpenAiDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantOpenAIPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Postgre SQL PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantPostgreDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantPostgrePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Service Bus PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantServiceBusDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantServiceBusPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant SQL PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantSqlDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSqlPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Storage PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantStorageDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantStoragePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Synapse PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantSynapseDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSynapsePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Virtual Desktop PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantVirtualDesktopDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantVirtualDesktopPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying custom data policies + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').dataPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataPolicyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('Hydrating-Compliance-Step-', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[variables('deploymentNames').policyDeploymentName]" + ], + "copy": { + "batchSize": 1, + "count": 21, + "mode": "Serial", + "name": "policyCompletion" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } + }, + /* + The following deployments will organize the dedicated platform subscriptions into their respective management groups + */ + { + // Placing management subscription into dedicated management group + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').managementManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').management]" + }, + "subscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Placing connectivity subscription into dedicated management group + "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, + { + // Placing internet ingress subscription into dedicated management group + "condition": "[not(empty(parameters('ingressSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ingressSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('ingressSubscriptionId')]" + } + } + } + }, + { + // Placing internet egress subscription into dedicated management group + "condition": "[not(empty(parameters('egressSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').egressSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('egressSubscriptionId')]" + } + } + } + }, + { + // Placing identity subscription into dedicated management group + "condition": "[not(empty(parameters('identitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').identityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').identity]" + }, + "subscriptionId": { + "value": "[parameters('identitySubscriptionId')]" + } + } + } + }, + /* + The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones + */ + { + // Deploying Log Analytics workspace to management subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "eventHubNamespaceName": { + "value": "[variables('platformResourceNames').eventHubNamespace]" + }, + "dataExports": { + "value": "[parameters('dataExports')]" + } + } + } + }, + { + // Deploying User Assigned identity for Policy enforcement + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').policyIdentityDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyIdentity]" + }, + "parameters": { + "resourceGroupName": { + "value": "[variables('platformRgNames').userAssignedIdentity]" + }, + "managedIdentityName": { + "value": "[variables('platformResourceNames').userAssignedIdentityName]" + }, + "location": { + "value": "[deployment().location]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Assigning RBAC for User Assigned identity for Azure Policy enforcement + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "dependsOn": [ + "[variables('deploymentNames').policyIdentityDeploymentName]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').roleAssignments]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "principalId": { + "value": "[reference(variables('deploymentNames').policyIdentityDeploymentName).outputs.identityObjectId.value]" + }, + "roleDefinitionId": { + "value": "[variables('roleDefinitions').contributor]" + } + } + } + }, + { + // Deploying Log Analytics solutions to Log Analytics workspace if condition is true + "condition": "[and(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + }, + "enableAgentHealth": { + "value": "[parameters('enableAgentHealth')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableActivityLog": { + "value": "[parameters('enableActivityLog')]" + }, + "enableVmInsights": { + "value": "[parameters('enableVmInsights')]" + }, + "enableServiceMap": { + "value": "[parameters('enableServiceMap')]" + }, + "enableSqlAssessment": { + "value": "[parameters('enableSqlAssessment')]" + } + } + } + }, + { + // Create storage account for NSG Flow Logs in the management subscription for networking observability + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logStorageDeploymentName]", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logStorageAccount]" + }, + "parameters": { + "mgmtStorageRgName": { + "value": "[variables('platformRgNames').logNwRg]" + }, + "storageAccountName": { + "value": "[variables('platformResourceNames').logNwStorageAccount]" + }, + "storageLocation": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + { + // Assigning Log Analytics workspace policy to management management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", + "scope": "[variables('scopes').managementManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Azure Security Benchmark policy to intermediate root management group if condition is true + "condition": "[equals(parameters('enableMcsbPolicy'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').asbPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').asbPolicyInitiative]" + }, + "parameters": {} + } + }, + { + // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceDiagnosticsInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').activityDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').activityDiagnosticsPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Microsoft Defender for Cloud configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ascConfigPolicyInitiative]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForCosmosDb": { + "value": "[parameters('enableAscForCosmosDb')]" + }, + "enableAscForSynapse": { + "value": "[parameters('enableAscForSynapse')]" + }, + "enableAscForCSPM": { + "value": "[parameters('enableAscForCSPM')]" + }, + "enableAscForAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForKeyVault": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "enableAscForSqlOnVm": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForDns": { + "value": "[parameters('enableAscForDns')]" + }, + "enableAscForOssDb": { + "value": "[parameters('enableAscForOssDb')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Defender Endpoint VMs policy initiative to intermediate root management group if condition is true + "condition": "[equals(parameters('enableDefenderEndpoint'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').defenderEndpointPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').defenderEndpointPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "[if(equals(parameters('enableDefenderEndpoint'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Az Gov Only - Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.usgovcloudapi.net'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascGovPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').govAscPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForDns": { + "value": "[parameters('enableAscForDns')]" + } + } + } + }, + /* + The following optional deployment will configure virtual network hub into the connectivity subscription + */ + { + // Creating resource group for DDoS Standard Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(or(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosHubPolicyDeploymentName]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Creating the virtual network hub (hub and spoke) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vnetConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "subnetMaskForDnsResolverInbound": { + "value": "[parameters('subnetMaskForDnsResolverInbound')]" + }, + "subnetMaskForDnsResolverOutbound": { + "value": "[parameters('subnetMaskForDnsResolverOutbound')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + }, + "enableAvnm": { + "value": "[parameters('enableAvnm')]" + } + } + } + }, + { + // Creating the ingress subscription + "condition": "[and(not(empty(parameters('ingressSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').ingressDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ingressSubscriptionPlacement)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ingressAndEgress]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwIngress')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixIngress')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "subscriptionId": { + "value": "[parameters('ingressSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwIngress')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuIngress')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesIngress')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "ingressOrEgress": { + "value": "ingress" + } + } + } + }, + { + // Creating the egress subscription + "condition": "[and(not(empty(parameters('egressSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').egressDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').egressSubscriptionPlacement)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ingressAndEgress]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwEgress')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixEgress')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "subscriptionId": { + "value": "[parameters('egressSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwEgress')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuEgress')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesEgress')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "ingressOrEgress": { + "value": "egress" + } + } + } + }, + { + // Creating the virtual network hub (with NVA) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').nvaConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vwanConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + } + } + } + }, + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').privateDnsZoneRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Creating Private DNS Zones into the connectivity subscription + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').privateDnsZonesDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "copy": { + "name": "dnsZones", + "count": "[length(variables('privateDnsZones'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZones')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + } + } + } + }, + { // Creating Policy Assignment for NSG Flow Logs Policy on Platform scope + "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').nsgFlowLogsPlatformPolicyAssignment]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nwDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nsgFlowLogPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableNsgFlowLogs'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "storageId": { + "value": "[variables('platformResourceIds').logStorageResourceId]" + }, + "workspaceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "nsgRegion": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + }, + "networkWatcherName": { + "value": "[concat('NetworkWatcher_', parameters('location'))]" + }, + "networkWatcherRg": { + "value": "NetworkWatcherRG" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Exemption for storage accounts for NSG in management management group scope + "condition": "[and(equals(parameters('enableMcsbPolicy'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').nsgFlowLogPolicyExemption]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nwDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nsgFlowLogPolicyExemption]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { // Creating Network Watcher on Connectivity subscription + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableNetworkWatcher'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[deployment().location]", + "name": "[variables('deploymentNames').nwDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nwDeployment]" + }, + "parameters": { + "location": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + /* + The following deployments will deploy and configure the Azure policy governance for the landing zones + */ + { // Creating Policy Assignment for allowed Azure Regions on the Landing Zone management group + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').allowedRegionsDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "dnsZones" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').allowedRegionsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "listOfAllowedLocations": { + "value": [ + "Global", + "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + ] + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment for allowed Azure Regions for Rgs on the Landing Zone management group + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').allowedRgRegionsDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').allowedRgRegionsPolicyAssignment]" + }, + "parameters": { + "listOfAllowedLocations": { + "value": [ + "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + ] + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment for NSG Flow Logs Policy on Landing zone scope + "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').nsgFlowLogsLzPolicyAssignment]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nwDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nsgFlowLogPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[concat(parameters('industryPrefix'), '-lz')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableNsgFlowLogs'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "storageId": { + "value": "[variables('platformResourceIds').logStorageResourceId]" + }, + "workspaceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "nsgRegion": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + }, + "networkWatcherName": { + "value": "[concat('NetworkWatcher_', parameters('location'))]" + }, + "networkWatcherRg": { + "value": "NetworkWatcherRG" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment API management to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Apim')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantApimAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantApimDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantApimPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "apimDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "apimLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment App Service to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'AppService')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantAppServiceAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantAppServiceDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAppServicePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "appServiceDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "appServiceLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "functionDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "functionLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Automation Account to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Automation')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantAutomationAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantAutomationDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAutomationPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "aaDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "aaLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Backup to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Backup')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantBackupAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantBackupDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantBackupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "asrLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Compute to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Compute')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantComputeAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantComputeDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantComputePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Container Apps to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ContainerApps')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantContainerAppsAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantContainerAppsDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerAppsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Container Instance to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ContainerInstance')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantContainerInstanceAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantContainerInstanceDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerInstancePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Container Registry to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ContainerRegistry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantContainerRegistryAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantContainerRegistryDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerRegistryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "containerRegistryDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Cosmos Db to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'CosmosDb')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantCosmosDbAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantCosmosDbDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCosmosDbPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "cosmosDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "cosmosLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Data Explorer to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'DataExplorer')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantDataExplorerAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantDataExplorerDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataExplorerPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "adeDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "adeLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Data Factory Vault to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'DataFactory')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantDataFactoryAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantDataFactoryDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataFactoryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "adfDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "adfLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Key Vault to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'KeyVault')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantKeyVaultAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantKeyVaultDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKeyVaultPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "keyVaultDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "keyVaultLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "hsmDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "hsmLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Event Grid to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'EventGrid')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantEventGridAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantEventGridDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventGridPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "eventGridPartnerDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "eventGridTopicDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "eventGridDomainDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Event Hub to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'EventHub')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantEventHubAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantEventHubDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventHubPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "eventHubDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Kubernetes to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Kubernetes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantKubernetesAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantKubernetesDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKubernetesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "aksDefender": { + "value": "[if(equals(parameters('enableAscForContainers'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "aksDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "aksLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Machine Learning to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'MachineLearning')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantMachineLearningAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantMachineLearningDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantMachineLearningPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "mlDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Network to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Networking')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantNetworkAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantNetworkDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantNetworkPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "vnetModifyDdos": { + "value": "[if(equals(parameters('enableDdos'), 'Yes'), 'Modify', 'Disabled')]" + }, + "ddosPlanResourceId": { + "value": "[if(equals(parameters('enableDdos'), 'Yes'), variables('platformResourceIds').ddosProtectionResourceId, '')]" + }, + "nsgDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "nsgLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "lbDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "fdDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "tmDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "vnetDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "erDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "bastionDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "bastionLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "fdCdnDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "fdCdnLogAnalyticsWorkpaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "pipDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "pipLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "gwDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "gwLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "p2sDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "p2sLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Open Ai to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'OpenAi')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantOpenAiAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantOpenAiDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantOpenAiPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Postgre SQL to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'PostgreSql')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantPostgreAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantPostgreDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantPostgrePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "postgreDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "postgreLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment Compliant Service Bus to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ServiceBus')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantServiceBusAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantServiceBusDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantServiceBusPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ServiceBusLogAnalyticsEffect": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "ServiceBusLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment Compliant Sql to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Sql')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantSqlAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantSqlDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSqlPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "sqlServerDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlServerLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "sqlManagedDefender": { + "value": "[if(equals(parameters('enableAscForSql'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlDbServerDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "sqlDbAllDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment Compliant Storage to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'StorageAccount')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantStorageAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantStorageDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantStoragePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "storageFileSyncDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileSyncLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageTableDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageTableLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageAccountsDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageAccountsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageQueueDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageQueueLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageBlobDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Corp Connected to Corp Landing Zone scope + "condition": "[equals(parameters('enablePrivateDnsZones'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantCorpLzAssignmentDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantCorpLzDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCorpLzPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "avdHostPoolPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdHostPoolPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), variables('privateDnsPolicyParameterMapping').azureDesktopVirtualizationPrivateDnsZoneId, '')]" + }, + "avdWorkspacePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdWorkspacePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), variables('privateDnsPolicyParameterMapping').azureDesktopVirtualizationPrivateDnsZoneId, '')]" + }, + "storageTablePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageTablePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageTablePrivateDnsZoneId, '')]" + }, + "storageSecondaryTablePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageTablePrivateDnsZoneId, '')]" + }, + "storageFileSyncPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileSyncPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageFileSyncPrivateDnsZoneId, '')]" + }, + "storageFileDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageFilePrivateDnsZoneId, '')]" + }, + "storageBlobPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageBlobPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageBlobPrivateDnsZoneId, '')]" + }, + "storageSecondaryBlobPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageBlobPrivateDnsZoneId, '')]" + }, + "storageDfsPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageDfsPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageDfsPrivateDnsZoneId, '')]" + }, + "storageSecondaryDfsPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageDfsPrivateDnsZoneId, '')]" + }, + "storageQueuePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageQueuePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageQueuePrivateDnsZoneId, '')]" + }, + "storageSecondaryQueuePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageQueuePrivateDnsZoneId, '')]" + }, + "storageWebPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageWebPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageWebPrivateDnsZoneId, '')]" + }, + "storageSecondaryWebPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageWebPrivateDnsZoneId, '')]" + }, + "appServiceAppsPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'AppService'), 'DeployIfNotExists', 'Disabled')]" + }, + "appServiceAppsPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'AppService'), variables('privateDnsPolicyParameterMapping').azureAppServicesPrivateDnsZoneId, '')]" + }, + "aaPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Automation'), 'DeployIfNotExists', 'Disabled')]" + }, + "aaPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Automation'), variables('privateDnsPolicyParameterMapping').azureAutomationPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), 'DeployIfNotExists', 'Disabled')]" + }, + "asrPrivateDnsZone-Backup": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), variables('privateDnsPolicyParameterMapping').azureBackupPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone-Blob": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), variables('privateDnsPolicyParameterMapping').azureBackupBlobPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone-Queue": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), variables('privateDnsPolicyParameterMapping').azureBackupQueuePrivateDnsZoneId, '')]" + }, + "diskPrivateDns": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Compute'), 'DeployIfNotExists', 'Disabled')]" + }, + "diskPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Compute'), variables('privateDnsPolicyParameterMapping').azureManagedDiskPrivateDnsZoneId, '')]" + }, + "containerRegistryPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'ContainerRegistry'), 'DeployIfNotExists', 'Disabled')]" + }, + "containerRegistryPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'ContainerRegistry'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" + }, + "cosmosDbPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'CosmosDb'), 'DeployIfNotExists', 'Disabled')]" + }, + "cosmosDbPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'CosmosDb'), variables('privateDnsPolicyParameterMapping').azureCosmosSqlPrivateDnsZoneId, '')]" + }, + "cosmosDbPrivateEndpointGroupId": { + "value": "Sql" + }, + "adfPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DataFactory'), 'DeployIfNotExists', 'Disabled')]" + }, + "adfPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DataFactory'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" + }, + "keyVaultPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'KeyVault'), 'DeployIfNotExists', 'Disabled')]" + }, + "keyVaultPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'KeyVault'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" + }, + "eventGridDomainPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridDomainPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + }, + "eventGridTopicPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridTopicPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + }, + "eventHubNamespacesPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'EventHub'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'EventHub'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" + }, + "mlPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'MachineLearning'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'MachineLearning'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'MachineLearning'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" + }, + "cognitiveServicesPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'OpenAi'), 'DeployIfNotExists', 'Disabled')]" + }, + "cognitiveServicesPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'OpenAi'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" + }, + "serviceBusDinePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'ServiceBus'), 'DeployIfNotExists', 'Disabled')]" + }, + "serviceBusPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'ServiceBus'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" + }, + "synapsePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Synapse'), 'DeployIfNotExists', 'Disabled')]" + }, + "synapsePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Synapse'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Synapse to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Synapse')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantSynapseAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantSynapseDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSynapsePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "synapseDefender": { + "value": "[if(equals(parameters('enableAscForSynapse'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "synapseDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "synapseLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment Virtual Desktop to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'DesktopVirtualization')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantVirtualDesktopAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantVirtualDesktopDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantVirtualDesktopPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "avdAppGroupDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "avdHostPoolDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "avdWorkspaceDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + /* + The following section will optionally configure the governance for the Identity management group for the platform + */ + { + // Assigning Azure Backup policy to identity management group if condition is true + "condition": "[and(equals(parameters('enableVmBackupForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azBackupIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').backupForIdentity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny Public Ip policy to identity management group if condition is true + "condition": "[and(equals(parameters('denyPipForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').pipPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').pipPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny subnet without nsg policy to identity management group if condition is true + "condition": "[and(equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').subnetNsgIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny rpd from internet on identity management group if condition is true + "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').rdpFromInternetIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vhub or nva contidion is true + "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('identitySubscriptionId'), variables('platformResourceNames').identityVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vwan contidion is true + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityVwanPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVwanPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('identitySubscriptionId'), variables('platformResourceNames').identityVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "vWanHubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + { + // Placing subscription(s) into playground management group + "condition": "[not(empty(parameters('playgroundSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').playgroundSubs, copyIndex())]", + "scope": "[variables('scopes').playgroundManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "playgroundSubs", + "count": "[length(parameters('playgroundSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').playground]" + }, + "subscriptionId": { + "value": "[concat(parameters('playgroundSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Assigning VNet peering policy to playground management group if condition is true + "condition": "[equals(parameters('denyVnetPeering'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').denyVnetPeeringDeploymentName]", + "scope": "[variables('scopes').playgroundManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').denyVnetPeeringPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning budget policy to playground management group if condition is true + "condition": "[and(not(empty(parameters('budgetAmount'))), equals(parameters('enableBudget'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').budgetDeploymentName]", + "scope": "[variables('scopes').playgroundManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').budgetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "budgetName": { + "value": "DefaultBudget" + }, + "amount": { + "value": "[parameters('budgetAmount')]" + } + } + } + }, + /* + The following deployments will place landing zone subscriptions into online/corp (connected, disconnected) + */ + { + // Placing subscription(s) into online landing zone management group + "condition": "[not(empty(parameters('onlineLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').onlineLzSubs, copyIndex())]", + "scope": "[variables('scopes').onlineManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "onlineLzs", + "count": "[length(parameters('onlineLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').online]" + }, + "subscriptionId": { + "value": "[concat(parameters('onlineLzSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Placing subscriptions into corp landing zone management group + "condition": "[not(empty(parameters('corpLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').corpLzSubs, copyIndex())]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "corpLzs", + "count": "[length(parameters('corpLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').corp]" + }, + "subscriptionId": { + "value": "[concat(parameters('corpLzSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Placing subscriptions into corp landing zone management group (and do subsequent peering) + "condition": "[not(empty(parameters('corpConnectedLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').corpConnectedMoveLzSubs, copyIndex())]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "corpConnectedMoveLzs", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').corp]" + }, + "subscriptionId": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs]" + } + } + } + }, + { + // Peering corp connected lz vnet to connectivity sub (when nva or vhub is selected) + "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]", + "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "corpConnectedPeering", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').lzVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '-', variables('platformResourceNames').lzVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + /*{ + // Peering corp connected lz vnet to connectivity sub (when vwan is selected) + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('corpConnectedLzSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deploymentNames').corpConnectedLzVwanSubs, copyIndex())]", + "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "corpConnectedVwanPeering", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]", + "batchSize": 1, + "mode": "Serial" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').lzVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '-', variables('platformResourceNames').lzVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + },*/ + /* + **FSI Lite Only!** + The following section represent optional deployments in case the user select to use a single dedicated subscription for platform resources. + This is not recommmended for production deployment, only for small enterprises, demo, POC, etc. + + The following deployment will create the management group structure for FSI Lite + */ + { + // Creating the FSI Lite management group structure + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroupsLite]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployments will organize the dedicated platform subscription into the dedicated management groups + */ + { + // Placing Platform subscription into dedicated management group + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').platform]" + }, + "subscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription + */ + { + // Deploy workspace to platform subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployments will deploy Log Analytics solutions to the platform subscription + */ + { + // Create storage account for NSG Flow Logs in the management subscription for networking observability + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').logLiteStorageDeploymentName]", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logStorageAccount]" + }, + "parameters": { + "mgmtStorageRgName": { + "value": "[variables('platformRgNames').logNwRg]" + }, + "storageAccountName": { + "value": "[variables('platformResourceNames').logNwStorageAccount]" + }, + "storageLocation": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + { + // Deploying Log Analytics solutions to Log Analytics workspace if condition is true + "condition": "[and(and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + }, + "enableAgentHealth": { + "value": "[parameters('enableAgentHealth')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableActivityLog": { + "value": "[parameters('enableActivityLog')]" + }, + "enableVmInsights": { + "value": "[parameters('enableVmInsights')]" + }, + "enableServiceMap": { + "value": "[parameters('enableServiceMap')]" + }, + "enableSqlAssessment": { + "value": "[parameters('enableSqlAssessment')]" + } + } + } + }, + /* + Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group + */ + { + // Assigning Log Analytics workspace policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').logAnalyticsLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for DDoS standard protection to platform subscription + */ + { + // Creating resource group for DDoS Standard Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy DDoS standard protection + */ + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosRgLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for Private DNS zones to platform subscription + */ + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy private DNS zones + */ + { + // Creating Private DNS Zones into the connectivity subscription + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLiteDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "copy": { + "name": "dnsZonesLite", + "count": "[length(variables('privateDnsZones'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZones')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + } + } + } + }, + /* + Note: Lite only: Create Network Watcher into the single platform subscription + */ + { // Creating Network Watcher on Connectivity subscription + "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[deployment().location]", + "name": "[variables('esLitedeploymentNames').nwLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nwDeployment]" + }, + "parameters": { + "location": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + /* + Note: ES Lite only: assign DDoS policy for landing zones + */ + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(and(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: deploys hub and spoke + */ + { + // Configuring and deploying the connectivity hub (hub and spoke) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + }, + "enableAvnm": { + "value": "[parameters('enableAvnm')]" + } + } + } + }, + /* + Note: ES Lite only: deploys virtual hub (NVA) + */ + { + // Configuring and deploying the connectivity hub (NVA) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + /* + Note: ES Lite only: deploys VWAN hub (Microsoft Managed) + */ + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + } + } + } + }, + /* + Note: ES Lite only: assigns policy for identity to enable Azure Backup + */ + { + // Assigning Azure Backup policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableVmBackupForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').azBackupIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').backupForIdentity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: assign policy for identity to deny subnet without NSG + */ + { + // Assigning deny subnet without nsg policy to identity management group if condition is true + "condition": "[and(equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').subnetNsgIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: assign policy to deny RDP from internet to platform MG + */ + { + // Assigning deny rpd from internet policy landing zones management group if condition is true + "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').rdpFromInternetIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + } + ], + "outputs": { + "deployment": { + "type": "string", + "value": "[concat(deployment().name, ' has successfully deployed.')]" + } + } +}