From 48d35177441b14188ce9dd65dd778aa667dc4b2a Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sat, 11 Feb 2023 20:38:07 +0100 Subject: [PATCH 01/56] wave #1 --- ...mpliant-AutomationPolicySetDefinition.json | 284 +++++++++++++++ .../Compliant-BackupPolicySetDefinition.json | 193 ++++++++++ .../Compliant-ComputePolicySetDefinition.json | 206 +++++++++++ ...iant-ContainerAppsPolicySetDefinition.json | 164 +++++++++ ...-ContainerInstancePolicySetDefinition.json | 116 ++++++ ...-ContainerRegistryPolicySetDefinition.json | 331 +++++++++++++++++ ...Compliant-CosmosDbPolicySetDefinition.json | 234 ++++++++++++ ...pliant-DataFactoryPolicySetDefinition.json | 225 ++++++++++++ ...Compliant-EventHubPolicySetDefinition.json | 253 +++++++++++++ ...Compliant-KeyVaultPolicySetDefinition.json | 261 ++++++++++--- ...nt-MachineLearningPolicySetDefinition.json | 274 ++++++++++++++ .../Compliant-OpenAiPolicySetDefinition.json | 235 ++++++++++++ .../Compliant-SQLPolicySetDefinition.json | 279 +++++++++++--- .../Compliant-SynapsePolicySetDefinition.json | 344 ++++++++++++++++++ 14 files changed, 3296 insertions(+), 103 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json new file mode 100644 index 00000000..4526e458 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -0,0 +1,284 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Automation Account should have Managed Identity", + "mode": "Indexed", + "description": "Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code .", + "metadata": { + "version": "1.0.0", + "category": "Automation" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + { + "anyOf": [ + { + "field": "identity.type", + "exists": "false" + }, + { + "field": "identity.type", + "contains": "None" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AA-Managed-Identity" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Automation-Account", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Automation" + }, + "displayName": "Enforce secure-by-default Automation Account for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Automation Account", + "description": "Policy to ensure data protection for Automation Account" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Automation Account is not accessible over the public internet", + "description": "Policy to ensure Automation Account not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Automation Account", + "description": "Policy to ensure Automation Account is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Automation Account is logging all events to Log Analytics", + "description": "Policy to ensure Automation Account is logging all events to Log Analytics workspace" + }, + { + "name": "DevOps", + "category": "DevOps Security", + "displayName": "Ensure Automation Account is is using Git as source control", + "description": "Policy to ensure Automation Account is configured to use Git as source control" + } + ], + "parameters": { + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "aaCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "aaPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "aaPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "policyDefinitionReferenceId": "Deny-Aa-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "policyDefinitionReferenceId": "Dine-Aa-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('aaPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('aaPrivateEndpointGroupId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json new file mode 100644 index 00000000..7a56c53a --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -0,0 +1,193 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "[Preview]: Immutability must be enabled for backup vaults", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.", + "metadata": { + "version": "1.0.0-preview", + "preview": true, + "category": "Backup" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabiltyOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckLockedImmutabiltyOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataProtection/backupvaults" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", + "notIn": [ + "Locked", + "UnLocked" + ] + }, + { + "allOf": [ + { + "value": "[[parameters('checkLockedImmutabiltyOnly')]", + "equals": true + }, + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", + "notEquals": "Locked" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Backup-Immutability" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Backup", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Backup" + }, + "displayName": "Enforce secure-by-default Backup for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Backup is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Backup", + "description": "Policy to ensure data protection for Backup" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Backup is not accessible over the public internet", + "description": "Policy to ensure Backup not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Backup", + "description": "Policy to ensure Backup is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Backup is logging all events to Log Analytics", + "description": "Policy to ensure Backup is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "backupImmutability": { + "type": "string", + "defaultValue": "Deny" + }, + "backupCmk": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('backupCmk')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Backup-Immutability", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('backupImmutability')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json new file mode 100644 index 00000000..d8446001 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json @@ -0,0 +1,206 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Managed disks should disable public network access", + "mode": "Indexed", + "description": "Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc.", + "metadata": { + "version": "2.0.0", + "category": "Compute" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/networkAccessPolicy", + "notIn": [ + "DenyAll", + "AllowPrivate" + ] + }, + { + "field": "Microsoft.Compute/disks/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Disk-Public-Endpoint" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Compute", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Compute" + }, + "displayName": "Enforce secure-by-default Compute for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Compute is not accessible over the public internet", + "description": "Policy to ensure Compute is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Compute", + "description": "Policy to ensure Compute is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Compute is logging all events to Log Analytics", + "description": "Policy to ensure Compute is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "diskPrivateDns": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "diskPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "diskDoubleEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "managedDiskPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('osAndDataDiskCmk')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('managedDiskPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('diskDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policyDefinitionReferenceId": "Dine-Disk-Private-DNS", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('diskPrivateDns')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('diskPrivateDnsZoneId')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json new file mode 100644 index 00000000..117984ba --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json @@ -0,0 +1,164 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-ContainerApps", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Container Apps" + }, + "displayName": "Enforce secure-by-default Container Apps for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Container Apps is not accessible over the public internet", + "description": "Policy to ensure Container Apps is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Container Apps", + "description": "Policy to ensure Container Apps is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Container Apps is logging all events to Log Analytics", + "description": "Policy to ensure Container Apps is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "containerAppsPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsEnvPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerAppsVnetInjection": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", + "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsVnetInjection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "policyDefinitionReferenceId": "Deny-ContainerAppsEnv-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsEnvPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", + "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json new file mode 100644 index 00000000..fd99fc66 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json @@ -0,0 +1,116 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-ContainerInstance", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Container Instance" + }, + "displayName": "Enforce secure-by-default Container Instance for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Container Instance is not accessible over the public internet", + "description": "Policy to ensure Container Instance is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Container Instance", + "description": "Policy to ensure Container Instance is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Container Instance is logging all events to Log Analytics", + "description": "Policy to ensure Container Instance is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "containerInstanceVnet": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceCmk')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json new file mode 100644 index 00000000..20615017 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json @@ -0,0 +1,331 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-ContainerRegistry", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Container Registry" + }, + "displayName": "Enforce secure-by-default Container Registry for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Container Registry is not accessible over the public internet", + "description": "Policy to ensure Container Registry is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Container Registry", + "description": "Policy to ensure Container Registry is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Container Registry is logging all events to Log Analytics", + "description": "Policy to ensure Container Registry is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "containerRegistryUnrestrictedNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryRepositoryToken": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyRepositoryToken": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryExports": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryAnAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyAnAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistrySkuPrivateLink": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryArmAudience": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyArmAudience": { + "type": "string", + "defaultValue": "Modify" + }, + "containerRegistryCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "containerRegistryModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policyDefinitionReferenceId": "Dine-ContainerRegistry-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('containerRegistryPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistrySkuPrivateLink')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryExports')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json new file mode 100644 index 00000000..41433369 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json @@ -0,0 +1,234 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-CosmosDb", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB" + }, + "displayName": "Enforce secure-by-default Cosmos DB for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Cosmos DB", + "description": "Policy to ensure data protection for Cosmos DB" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Cosmos DB is not accessible over the public internet", + "description": "Policy to ensure Cosmos DB not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Cosmos DB", + "description": "Policy to ensure Cosmos DB is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Cosmos DB is logging all events to Log Analytics", + "description": "Policy to ensure Cosmos DB is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "cosmosDbCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbPublicAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny" + }, + "cosmosDbPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbAtp": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", + "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbAtp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "policyDefinitionReferenceId": "Dine-CosmosDb-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbPrivateDnsZone')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('cosmosDbPrivateEndpointGroupId')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('cosmosDbPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "policyDefinitionReferenceId": "Deny-CosmosDb-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbPublicAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "groupNames": [ + "Encryption" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "policyDefinitionReferenceId": "Deny-CosmosDb-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbCmk')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json new file mode 100644 index 00000000..4ee1e487 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json @@ -0,0 +1,225 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-DataFactory", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Data Factory" + }, + "displayName": "Enforce secure-by-default Data Factory for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Data Factory", + "description": "Policy to ensure data protection for Data Factory" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Data Factory is not accessible over the public internet", + "description": "Policy to ensure Data Factory not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Data Factory", + "description": "Policy to ensure Data Factory is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Data Factory is logging all events to Log Analytics", + "description": "Policy to ensure Data Factory is logging all events to Log Analytics workspace" + }, + { + "name": "DevOps", + "category": "DevOps Security", + "displayName": "Ensure Data Factory is is using Git as source control", + "description": "Policy to ensure Data Factory is configured to use Git as source control" + } + ], + "parameters": { + "adfSqlIntegration": { + "type": "string", + "defaultValue": "Deny" + }, + "adfModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "adfLinkedServiceKeyVault": { + "type": "string", + "defaultValue": "Deny" + }, + "adfPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "adfGit": { + "type": "string", + "defaultValue": "Deny" + }, + "adfPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", + "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "policyDefinitionReferenceId": "Dine-Adf-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('adfPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", + "policyDefinitionReferenceId": "Deny-Adf-Git", + "groupNames": [ + "DevOps" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfGit')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", + "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", + "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfLinkedServiceKeyVault')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", + "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", + "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfSqlIntegration')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json new file mode 100644 index 00000000..746d0ca7 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json @@ -0,0 +1,253 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Event Hub namespaces should use a customer-managed key for encryption", + "mode": "Indexed", + "description": "Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/clusterArmId", + "exists": "true" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-EH-Cmk" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Event-Hub", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Event Hub" + }, + "displayName": "Enforce secure-by-default Event Hub for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Event Hub is not accessible over the public internet", + "description": "Policy to ensure Event Hub is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Event Hub", + "description": "Policy to ensure Event Hub is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Event Hub is logging all events to Log Analytics", + "description": "Policy to ensure Event Hub is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "eventHubAuthRules": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventHubNamespacesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventHubNamespacesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesDoubleEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", + "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", + "policyDefinitionReferenceId": "Dine-EH-Local-Auth", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policyDefinitionReferenceId": "Dine-EH-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventHubNamespacesPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", + "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", + "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", + "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubAuthRules')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json index 2e203615..96623194 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json @@ -12,56 +12,6 @@ // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ - { - "properties": { - "displayName": "Service Bus Premium namespaces must use a customer-managed key for encryption", - "mode": "Indexed", - "description": "Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.", - "metadata": { - "version": "1.0.0", - "category": "Service Bus" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Deny", - "Audit", - "Disabled" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.ServiceBus/namespaces" - }, - { - "field": "Microsoft.ServiceBus/namespaces/sku.tier", - "equals": "Premium" - }, - { - "not": { - "field": "Microsoft.ServiceBus/namespaces/encryption.keySource", - "equals": "Microsoft.Keyvault" - } - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-ServiceBus-CMK" - } ] } }, @@ -204,9 +154,220 @@ "secretsValidityInDays": { "type": "integer", "defaultValue": 90 + }, + "keyVaultFw": { + "type": "string", + "defaultValue": "Deny" + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny" + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny" + }, + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify" + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny" + }, + "keysExpiration": { + "type": "string", + "defaultValue": "Deny" + }, + "keysExpirationInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysActive": { + "type": "string", + "defaultValue": "Deny" + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny" + }, + "secretsExpiration": { + "type": "string", + "defaultValue": "Deny" + }, + "secretsMoreInDays": { + "type": "integer", + "defaultValue": 10 + }, + "secretsMaxValiditity": { + "type": "string", + "defaultValue": "Deny" + }, + "secretsMaxValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "policyDefinitionReferenceId": "Deny-KV-Secret-AvticeDays", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "policyDefinitionReferenceId": "Deny-KV-Secret-MaxDays", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('secretsMaxValiditity')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('secretsMaxValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "policyDefinitionReferenceId": "Deny-KV-Secret-MinDays", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('secretsExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('secretsMoreInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "policyDefinitionReferenceId": "Deny-KV-Key-Expiration", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keysExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keysExpirationInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "policyDefinitionReferenceId": "Modify-KV-Fw", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "policyDefinitionReferenceId": "Deny-KV-Fws", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultFw')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json new file mode 100644 index 00000000..993f55d9 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json @@ -0,0 +1,274 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Audit/Deny Azure Machine Learning Compute Instances with an outdated operating system", + "mode": "All", + "description": "Compute instances are non-compliant if the instance has an outdated operating system version. For more information, visit http://aka.ms/azureml-ci-updates/.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effects": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "ComputeInstance" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/osImageMetadata.isLatestOsImageVersion", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effects')]" + } + } + }, + "name": "Deny-ML-Outdated-OS" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Machine-Learning", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "displayName": "Enforce secure-by-default Machine Learning for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Machine Learning is not accessible over the public internet", + "description": "Policy to ensure Machine Learning is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Machine Learning", + "description": "Policy to ensure Machine Learning is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Machine Learning is logging all events to Log Analytics", + "description": "Policy to ensure Machine Learning is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "mlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "mlModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "mlUserAssignedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "mlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "mlLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "mlOutdatedOS": { + "type": "string", + "defaultValue": "Deny" + }, + "mlCmk": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "policyDefinitionReferenceId": "Deny-ML-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlCmk')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effects": { + "value": "[[parameters('mlOutdatedOS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", + "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", + "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policyDefinitionReferenceId": "Dine-ML-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('mlPrivateDnsZoneId')]" + }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('mlSecondPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", + "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlUserAssignedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "policyDefinitionReferenceId": "Deny-ML-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json new file mode 100644 index 00000000..1794c8ec --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json @@ -0,0 +1,235 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-OpenAi", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Cognitive Service" + }, + "displayName": "Enforce secure-by-default Open AI (Cognitive Service) for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Open AI (Cognitive Service)", + "description": "Policy to ensure data protection for Open AI (Cognitive Service)" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Open AI (Cognitive Service) is not accessible over the public internet", + "description": "Policy to ensure Open AI (Cognitive Service) not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Open AI (Cognitive Service)", + "description": "Policy to ensure Open AI (Cognitive Service) is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Open AI (Cognitive Service) is logging all events to Log Analytics", + "description": "Policy to ensure Open AI (Cognitive Service) is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "cognitiveServicesNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "cognitiveServicesModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "cognitiveServicesDisableLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policyDefinitionReferenceId": "Dine-Cognitive-Services-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('cognitiveServicesPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-CMK", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json index 3aeb5098..8c389e83 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json @@ -14,53 +14,105 @@ "policyDefinitions": [ { "properties": { - "displayName": "Private endpoint connections on Azure SQL Database should be enabled", - "mode": "Indexed", - "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", - "metadata": { - "version": "1.0.0", - "category": "SQL" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Sql/servers" - }, - { - "count": { - "field": "Microsoft.Sql/servers/privateEndpointConnections[*]", - "where": { - "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status", - "equals": "Approved" - } - }, - "less": 1 - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, + "displayName": "Private endpoint connections on Azure SQL Database should be enabled", + "mode": "Indexed", + "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "count": { + "field": "Microsoft.Sql/servers/privateEndpointConnections[*]", + "where": { + "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status", + "equals": "Approved" + } + }, + "less": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, "name": "Deny-Sql-Db-Public-Endpoint" + }, + { + "properties": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "mode": "Indexed", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", + "metadata": { + "version": "1.0.1", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": false + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notEquals": "1.2" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Sql-Managed-Tls-Version" } ] } @@ -96,20 +148,20 @@ "version": "1.0.0", "category": "SQL" }, - "displayName": "Enforce secure-by-default SQL for Financial Services Industry", - "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default SQL and SQL Managed Instance for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per FSI Landing Zones", "policyDefinitionGroups": [ { "name": "Encryption", "category": "Data Protection", "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", - "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + "description": "Policy to ensure data protection for SQL and SQL Managed Instance" }, { "name": "Network", "category": "Network Security", - "displayName": "Ensure SQL is not accessible over the public internet", - "description": "Policy to ensure SQL is not accessible over the public internet" + "displayName": "Ensure SQL and SQL Managed Instance is not accessible over the public internet", + "description": "Policy to ensure SQL and SQL Managed Instance is not accessible over the public internet" }, { "name": "Identity", @@ -120,8 +172,8 @@ { "name": "Logging", "category": "Logging and Threat Detection", - "displayName": "Ensure SQL is logging all events to Log Analytics", - "description": "Policy to ensure SQL is logging all events to Log Analytics workspace" + "displayName": "Ensure SQL and SQL Managed Instance is logging all events to Log Analytics", + "description": "Policy to ensure SQL and SQL Managed Instance is logging all events to Log Analytics workspace" } ], "parameters": { @@ -148,9 +200,130 @@ "sqlDbTls": { "type": "string", "defaultValue": "Deny" + }, + "sqlManagedAadOnly": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlTde": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlManagedPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlAadOnly": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", + "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlAadOnly')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "policyDefinitionReferenceId": "Dine-Sql-Tde", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlTde')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedAadOnly')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "policyDefinitionReferenceId": "Dine-Sql-Defender", + "groupNames": [ + "Encryption", + "Logging" + ], + "parameters": {} + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json new file mode 100644 index 00000000..c069d112 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json @@ -0,0 +1,344 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "IP firewall rules on Azure Synapse workspaces should be removed", + "mode": "All", + "description": "Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace.", + "metadata": { + "version": "1.0.0", + "category": "Synapse" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Synapse/workspaces/firewallrules" + }, + { + "field": "name", + "exists": "true" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Synapse-Fw-Rules" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Synapse", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Synapse" + }, + "displayName": "Enforce secure-by-default Synapse workspaces for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Synapse workspaces", + "description": "Policy to ensure data protection for Synapse workspaces" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Synapse workspaces is not accessible over the public internet", + "description": "Policy to ensure Synapse workspaces not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Synapse workspaces", + "description": "Policy to ensure Synapse workspaces is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Synapse workspaces is logging all events to Log Analytics", + "description": "Policy to ensure Synapse workspaces is logging all events to Log Analytics workspace" + }, + { + "name": "DevOps", + "category": "DevOps Security", + "displayName": "Ensure Synapse workspaces is is using Git as source control", + "description": "Policy to ensure Synapse workspaces is configured to use Git as source control" + } + ], + "parameters": { + "synapsePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "synapseLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseManagedVnet": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseDataTraffic": { + "type": "string", + "defaultValue": "Deny" + }, + "synapsePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseTenants": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseAllowedTenantIds": { + "type": "array", + "defaultValue": [ + "[[subscription().tenantId]" + ] + }, + "synapseFwRules": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "synapseModifyTlsVersion": { + "type": "string", + "defaultValue": "Modify" + }, + "synapseModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny" + }, + "synapseCmk": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "policyDefinitionReferenceId": "Deny-Synapse-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", + "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", + "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", + "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", + "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[[parameters('synapseAllowedTenantIds')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", + "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapsePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", + "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseDataTraffic')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", + "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseManagedVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "policyDefinitionReferenceId": "Dine-Synapse-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapsePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('synapsePrivateDnsZoneId')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file From 94190f58a114bffecc1d3f64ccce328a76b45278 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 12 Feb 2023 16:02:49 +0100 Subject: [PATCH 02/56] adding AKS --- ...mpliant-KubernetesPolicySetDefinition.json | 495 ++++++++++++++++++ 1 file changed, 495 insertions(+) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json new file mode 100644 index 00000000..3589923b --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json @@ -0,0 +1,495 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Azure Kubernetes Clusters should enable Key Management Service (KMS)", + "mode": "Indexed", + "description": "Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption.", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "identity.type", + "notEquals": "SystemAssigned" + }, + { + "field": "Microsoft.ContainerService/managedClusters/securityProfile.azureKeyVaultKms.enabled", + "notEquals": true + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Aks-CSI" + }, + { + "properties": { + "displayName": "Azure Kubernetes Clusters should use Azure CNI", + "mode": "Indexed", + "description": "Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni", + "metadata": { + "version": "1.0.1", + "category": "Kubernetes" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin", + "notEquals": "azure" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Aks-Cni" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Kubernetes", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Kubernetes" + }, + "displayName": "Enforce secure-by-default Kubernetes for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Kubernetes is not accessible over the public internet", + "description": "Policy to ensure Kubernetes is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Kubernetes", + "description": "Policy to ensure Kubernetes is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Kubernetes is logging all events to Log Analytics", + "description": "Policy to ensure Kubernetes is logging all events to Log Analytics workspace" + }, + { + "name": "Governance", + "category": "Governance and Strategy", + "displayName": "Ensure Kubernetes is integrated with Azure Resource Manager to be governed by Azure Policy", + "description": "Policy to ensure Kubernetes is integrated with Azure Resource Manager to be governed by Azure Policy" + } + ], + "parameters": { + "aksKms": { + "type": "string", + "defaultValue": "Deny" + }, + "aksCni": { + "type": "string", + "defaultValue": "Deny" + }, + "aksLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPrivateCluster": { + "type": "string", + "defaultValue": "Deny" + }, + "aksDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "type": "string", + "defaultValue": "" + }, + "aksOsAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPolicy": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksCommandInvoke": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksReadinessOrLivenessProbes": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPrivContainers": { + "type": "string", + "defaultValue": "Deny" + }, + "aksPrivEscalation": { + "type": "string", + "defaultValue": "Deny" + }, + "aksAllowedCapabilities": { + "type": "string", + "defaultValue": "Deny" + }, + "aksTempDisk": { + "type": "string", + "defaultValue": "Deny" + }, + "aksInternalLb": { + "type": "string", + "defaultValue": "Deny" + }, + "aksHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "aksDefaultNamespace": { + "type": "string", + "defaultValue": "Deny" + }, + "aksNakedPods": { + "type": "string", + "defaultValue": "Deny" + }, + "aksShareHostProcessAndNamespace": { + "type": "string", + "defaultValue": "Deny" + }, + "aksWindowsContainerAdministrator": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", + "policyDefinitionReferenceId": "Deny-Aks-Windows-Conatiner-Administrator", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksWindowsContainerAdministrator')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksShareHostProcessAndNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", + "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksNakedPods')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksDefaultNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policyDefinitionReferenceId": "Deny-Aks-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", + "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksInternalLb')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksTempDisk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "groupNames": [ + "Governance" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksAllowedCapabilities')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivEscalation')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivContainers')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksReadinessOrLivenessProbes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", + "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksCommandInvoke')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "policyDefinitionReferenceId": "Dine-Aks-Policy", + "groupNames": [ + "Governance" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPolicy')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "policyDefinitionReferenceId": "Deny-Aks-OsAnDataDisk-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksOsAndDataDiskCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "policyDefinitionReferenceId": "Dine-Aks-Defender", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksDefender')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('aksDefenderLogAnalyticsWorkspaceResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivateCluster')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Aks-Kms", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksKms')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Aks-Cni", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksCni')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file From 059355c1363ab7a34aa00efa6ed43a30e43f1284 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 13 Feb 2023 11:40:38 +0100 Subject: [PATCH 03/56] added defender options --- .../policyDefinitions/policies.json | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json index 2b363cf7..b92cee7e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json @@ -4,6 +4,7 @@ "parameters": { "topLevelManagementGroupPrefix": { "type": "String", + "defaultValue": "FSIDemo", "maxLength": 10, "metadata": { "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." @@ -15960,6 +15961,30 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableAscForCSPM": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enablle or disable the execution of the policy" + }, + "defaultValue": "DeployIfNotExists" + }, + "enableAscForCosmosDb": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enablle or disable the execution of the policy" + }, + "defaultValue": "DeployIfNotExists" + }, + "enableAscForSynapse": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enablle or disable the execution of the policy" + }, + "defaultValue": "DeployIfNotExists" } }, "metadata": { @@ -15967,6 +15992,33 @@ "category": "Security Center" }, "PolicyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "policyDefinitionReferenceId": "defenderForSynapse", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSynapse')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "policyDefinitionReferenceId": "defenderForCosmosDb", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDb')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "policyDefinitionReferenceId": "defenderForCSPM", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCSPM')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", "policyDefinitionReferenceId": "defenderForOssDb", From 229e143f12c4d5d77b0c747261654c20a522a471 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 13 Feb 2023 12:27:11 +0100 Subject: [PATCH 04/56] adding mySql and other minor updates --- .../Compliant-MySQLPolicySetDefinition.json | 211 ++++++++++++++++++ ...mpliant-ServiceBusPolicySetDefinition.json | 20 +- .../Compliant-StoragePolicySetDefinition.json | 41 ++-- 3 files changed, 246 insertions(+), 26 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json new file mode 100644 index 00000000..6ca7e274 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json @@ -0,0 +1,211 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Enforce SSL connection should be enabled for MySQL database servers", + "mode": "Indexed", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "MySQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "true" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MySql-SSL-Connection" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-MySQL", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "MySql" + }, + "displayName": "Enforce secure-by-default MySQQL for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure MySQL is using secure encryption", + "description": "Policy to ensure MySQL is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure MySQL is not accessible over the public internet", + "description": "Policy to ensure MySQL is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for MySQL", + "description": "Policy to ensure MySQL is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure MySQL is logging all events to Log Analytics", + "description": "Policy to ensure MySQL is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "mySqlInfraEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mySqlFlexiblePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "mySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "mySqlSsl": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-MySql-Ssl", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlSsl')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "policyDefinitionReferenceId": "Deny-MySql-Flex-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlFlexiblePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('mySqlInfraEncryption')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json index 9339fdd3..723975de 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json @@ -96,7 +96,7 @@ "category": "Service Bus" }, "displayName": "Enforce secure-by-default Service Bus for Financial Services Industry", - "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per FSI Landing Zones", "policyDefinitionGroups": [ { "name": "Encryption", @@ -163,12 +163,28 @@ "profileName": { "type": "string", "defaultValue": "setByPolicy" + }, + "serviceBusAuthzRules": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusAuthzRules')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", - "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionReferenceId": "Dine-Sb-Diagnostics", "groupNames": [ "Logging" ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json index d2e138a5..82593c3e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json @@ -244,14 +244,6 @@ "type": "string", "defaultValue": "Deny" }, - "storageAccountsPrivateEndpoint": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageAccountsPrivateEndpointSubnetId": { - "type": "string", - "defaultValue": "" - }, "storageAccountsModifyDisablePublicNetworkAccess": { "type": "string", "defaultValue": "Modify" @@ -279,9 +271,25 @@ "storageAccountsTls": { "type": "string", "defaultValue": "Deny" + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsEncryptionCmk')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", "policyDefinitionReferenceId": "Deny-Storage-Tls", @@ -366,22 +374,7 @@ "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f766f00-8d11-464e-80e1-4091d7874074", - "policyDefinitionReferenceId": "Dine-Storage-Account-PrivateEndpoint", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageAccountsPrivateEndpoint')]" - }, - "privateEndpointSubnetId": { - "value": "[[parameters('storageAccountsPrivateEndpointSubnetId')]" - } - } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", From 8c4073ea17db6ea8e515923f0e4b7e19835d37ef Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 13 Feb 2023 12:48:39 +0100 Subject: [PATCH 05/56] update --- .../Compliant-ComputePolicySetDefinition.json | 16 ++ ...mpliant-PostgreSQLPolicySetDefinition.json | 196 ++++++++++++++++++ 2 files changed, 212 insertions(+) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json index d8446001..e8f5414c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json @@ -145,9 +145,25 @@ "osAndDataDiskCmk": { "type": "string", "defaultValue": "Deny" + }, + "vmAndVmssEncryptionHost": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('vmAndVmssEncryptionHost')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json new file mode 100644 index 00000000..94f05727 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json @@ -0,0 +1,196 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "mode": "Indexed", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "PostgreSQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "true" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-PostgreSql-SSL-Connection" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-PostgreSQL", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "displayName": "Enforce secure-by-default MySQQL for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure PostgreSQL is using secure encryption", + "description": "Policy to ensure PostgreSQL is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure PostgreSQL is not accessible over the public internet", + "description": "Policy to ensure PostgreSQL is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for PostgreSQL", + "description": "Policy to ensure PostgreSQL is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure PostgreSQL is logging all events to Log Analytics", + "description": "Policy to ensure PostgreSQL is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "postgreSqlFlexiblePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "postgreSqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "postgreSqlSsl": { + "type": "string", + "defaultValue": "Deny" + }, + "postgreSqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "groupNames": [ + "Logging", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-PostgreSql-Ssl", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlSsl')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "policyDefinitionReferenceId": "Deny-PostgreSql-Flexible-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlFlexiblePublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file From 3b22840e0620c5f827e1e0be50bad420c890c82d Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 13 Feb 2023 13:26:42 +0100 Subject: [PATCH 06/56] backup completeness --- .../Compliant-BackupPolicySetDefinition.json | 306 +++++++++++++----- 1 file changed, 232 insertions(+), 74 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json index 7a56c53a..bbdad957 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -14,80 +14,153 @@ "policyDefinitions": [ { "properties": { - "displayName": "[Preview]: Immutability must be enabled for backup vaults", - "policyType": "BuiltIn", - "mode": "Indexed", - "description": "This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.", - "metadata": { - "version": "1.0.0-preview", - "preview": true, - "category": "Backup" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy." - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - }, - "checkLockedImmutabiltyOnly": { - "type": "Boolean", - "metadata": { - "displayName": "CheckLockedImmutabiltyOnly", - "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." - }, - "allowedValues": [ - true, - false - ], - "defaultValue": true - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.DataProtection/backupvaults" - }, - { - "anyOf": [ - { - "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", - "notIn": [ - "Locked", - "UnLocked" - ] - }, - { - "allOf": [ - { - "value": "[[parameters('checkLockedImmutabiltyOnly')]", - "equals": true - }, - { - "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", - "notEquals": "Locked" - } - ] - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-Backup-Immutability" + "displayName": "Immutability must be enabled for backup vaults", + "mode": "Indexed", + "description": "This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.", + "metadata": { + "version": "1.0.0", + "category": "Backup" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabiltyOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckLockedImmutabiltyOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataProtection/backupvaults" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", + "notIn": [ + "Locked", + "UnLocked" + ] + }, + { + "allOf": [ + { + "value": "[[parameters('checkLockedImmutabiltyOnly')]", + "equals": true + }, + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.immutabilitySettings.State", + "notEquals": "Locked" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Backup-Immutability" + }, + { + "properties": { + "displayName": "Soft delete should be enabled for Backup Vaults", + "mode": "Indexed", + "description": "This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete", + "metadata": { + "version": "1.0.0", + "category": "Backup" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkAlwaysOnSoftDeleteOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckAlwaysOnSoftDeleteOnly", + "description": "This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataProtection/backupvaults" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.softDeleteSettings.state", + "notIn": [ + "On", + "AlwaysOn" + ] + }, + { + "allOf": [ + { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]", + "equals": true + }, + { + "field": "Microsoft.DataProtection/backupVaults/securitySettings.softDeleteSettings.state", + "notEquals": "AlwaysOn" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Backup-Soft-Delete" } ] } @@ -159,9 +232,94 @@ "backupCmk": { "type": "string", "defaultValue": "Deny" + }, + "vmBackup": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "backupSoftDelete": { + "type": "string", + "defaultValue": "Deny" + }, + "asrPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "asrPrivateDns": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "asrPrivateDnsZone-Backup": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Blob": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Queue": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "policyDefinitionReferenceId": "Dine-Asr-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('asrPrivateDns')]" + }, + "privateDnsZone-Backup": { + "value": "[[parameters('asrPrivateDnsZone-Backup')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('asrPrivateDnsZone-Blob')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('asrPrivateDnsZone-Queue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "policyDefinitionReferenceId": "Deny-Asr-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('asrPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Backup-Soft-Delete", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('backupSoftDelete')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83644c87-93dd-49fe-bf9f-6aff8fd0834e", + "policyDefinitionReferenceId": "Dine-Vm-Backup", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('vmBackup')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", "policyDefinitionReferenceId": "Deny-Backup-Cmk", From 0c8560ac3acb2d686dc504496f905980ccc1c859 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 15 Feb 2023 11:08:46 +0100 Subject: [PATCH 07/56] update + event grid --- ...pliant-AppServicesPolicySetDefinition.json | 376 +++++++++++++++++- ...mpliant-AutomationPolicySetDefinition.json | 18 +- .../Compliant-BackupPolicySetDefinition.json | 17 +- ...ompliant-EventGridPolicySetDefinition.json | 284 +++++++++++++ .../Compliant-MySQLPolicySetDefinition.json | 2 +- ...mpliant-PostgreSQLPolicySetDefinition.json | 2 +- 6 files changed, 674 insertions(+), 25 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json index 9f785124..adec7c43 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json @@ -1,16 +1,98 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "API App should only be accessible over HTTPS", + "policyType": "Custom", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "mode": "Indexed", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-ApiApp-Https" + } + ] + } + }, "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, { "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "name": "Compliant-App-Services", + "name": "Compliant-App-Service", + "dependsOn": [ + "policyDefinitionCopy" + ], "properties": { "metadata": { - "version": "1.0.0", - "category": "App Service" + "version": "1.0.0", + "category": "App Service" }, "displayName": "Enforce secure-by-default App Service for Financial Services Industry", "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones", @@ -32,6 +114,12 @@ "category": "Identity Management", "displayName": "Ensure usage of centralized identity and auhtorization system for App Service", "description": "Policy to ensure App Service is not using local authorization" + }, + { + "name": "Posture", + "category": "Posture and Vulnerability Management", + "displayName": "", + "description": "" } ], "parameters": { @@ -67,6 +155,10 @@ "type": "string", "defaultValue": "Deny" }, + "appServiceAppsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, "appServiceSkuPl": { "type": "string", "defaultValue": "Deny" @@ -98,9 +190,255 @@ "functionAppPublicNetworkAccess": { "type": "string", "defaultValue": "Deny" + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceRfc": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppsVnetRouting": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceEnvLatestVersion": { + "type": "string", + "defaultValue": "Deny" + }, + "appServiceAppSlotsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "functionAppSlotsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "functionAppSlotsModifyHttps": { + "type": "string", + "defaultValue": "Modify" + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "apiAppHttps": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Api-Apps-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('apiAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('appServiceAppsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", + "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", + "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "groupNames": [ + "Posture" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceEnvLatestVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", + "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsVnetRouting')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", + "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "groupNames": [ + "Network", + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", "policyDefinitionReferenceId": "Deny-FuncApp-Public", @@ -112,7 +450,7 @@ "value": "[[parameters('functionAppPublicNetworkAccess')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", @@ -124,7 +462,7 @@ "value": "[[parameters('functionAppDebugging')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", "policyDefinitionReferenceId": "Deny-AppSlots-Public", @@ -148,7 +486,7 @@ "value": "[[parameters('functionAppHttps')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", @@ -160,7 +498,7 @@ "value": "[[parameters('appServiceScmAuth')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", @@ -172,7 +510,7 @@ "value": "[[parameters('functionAppSlotsHttps')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", "policyDefinitionReferenceId": "Deny-AppServ-Routing", @@ -184,7 +522,7 @@ "value": "[[parameters('appServiceRouting')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", @@ -208,7 +546,7 @@ "value": "[[parameters('appServiceSkuPl')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", "policyDefinitionReferenceId": "Deny-AppEnv-Public", @@ -220,7 +558,7 @@ "value": "[[parameters('appEnvDisablePublicNetworkAccess')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", @@ -232,7 +570,7 @@ "value": "[[parameters('appServiceDisableLocalAuth')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", "policyDefinitionReferenceId": "DINE-AppService-Debugging", @@ -244,12 +582,13 @@ "value": "[[parameters('functionAppDebugging')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", "groupNames": [ - "Encryption" + "Encryption", + "Network" ], "parameters": { "effect": { @@ -295,16 +634,17 @@ }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", - "policyDefinitionReferenceId": "Deny-FunctionAppTls", + "policyDefinitionReferenceId": "Deny-FunctionApp-Tls", "groupNames": [ - "Encryption" + "Encryption", + "Network" ], "parameters": { "effect": { "value": "[[parameters('functionAppTls')]" } } - } + } ] } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index 4526e458..02f517e1 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -172,10 +172,26 @@ "aaManagedIdentity": { "type": "string", "defaultValue": "Deny" + }, + "autoHotPatch": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", + "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('autoHotPatch')]" + } + } + }, + { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", "groupNames": [ @@ -187,7 +203,7 @@ } } }, - { + { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", "policyDefinitionReferenceId": "Deny-Aa-Public-Network-Access", "groupNames": [ diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json index bbdad957..1cccdc4b 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -222,6 +222,12 @@ "category": "Logging and Threat Detection", "displayName": "Ensure Backup is logging all events to Log Analytics", "description": "Policy to ensure Backup is logging all events to Log Analytics workspace" + }, + { + "name": "Backup", + "category": "Backup and Recovery", + "displayName": "Ensure Backup is enabled and stored securely", + "description": "Policy to ensure Backup is enabled and stored securely" } ], "parameters": { @@ -300,7 +306,8 @@ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", "policyDefinitionReferenceId": "Deny-Backup-Soft-Delete", "groupNames": [ - "Encryption" + "Encryption", + "Backup" ], "parameters": { "effect": { @@ -312,7 +319,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83644c87-93dd-49fe-bf9f-6aff8fd0834e", "policyDefinitionReferenceId": "Dine-Vm-Backup", "groupNames": [ - "Encryption" + "Backup" ], "parameters": { "effect": { @@ -324,7 +331,8 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", "policyDefinitionReferenceId": "Deny-Backup-Cmk", "groupNames": [ - "Encryption" + "Encryption", + "Backup" ], "parameters": { "effect": { @@ -336,7 +344,8 @@ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", "policyDefinitionReferenceId": "Deny-Backup-Immutability", "groupNames": [ - "Encryption" + "Encryption", + "Backup" ], "parameters": { "effect": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json new file mode 100644 index 00000000..f7564d32 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json @@ -0,0 +1,284 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Event-Grid", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Event Grid" + }, + "displayName": "Enforce secure-by-default Event Grid for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for data encryption, protection, and recovery for Event Grid", + "description": "Policy to ensure data protection for Event Grid" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Event Grid is not accessible over the public internet", + "description": "Policy to ensure Event Grid not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Event Grid", + "description": "Policy to ensure Event Grid is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Event Grid is logging all events to Log Analytics", + "description": "Policy to ensure Event Grid is logging all events to Log Analytics workspace" + }, + { + "name": "Backup", + "category": "Backup and Recovery", + "displayName": "Ensure Backup is enabled and stored securely", + "description": "Policy to ensure Backup is enabled and stored securely" + } + ], + "parameters": { + "eventGridPubclicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridParnerNamespaceLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridParnerNamespaceModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridTopicPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridTopicLocalAuth": { + "type": "string", + "defaultValue": "Deny" + }, + "eventGridTopicModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridDomainModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridDomainPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "eventGridTopicModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policyDefinitionReferenceId": "Dine-EventGrid-Topic-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventGridTopicPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policyDefinitionReferenceId": "Dine-EventGrid-Domain-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventGridDomainPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", + "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridParnerNamespaceModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", + "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridParnerNamespaceLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", + "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "groupNames": [ + "Identity" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", + "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPubclicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json index 6ca7e274..bed49933 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MySQLPolicySetDefinition.json @@ -93,7 +93,7 @@ "version": "1.0.0", "category": "MySql" }, - "displayName": "Enforce secure-by-default MySQQL for Financial Services Industry", + "displayName": "Enforce secure-by-default MySQL for Financial Services Industry", "description": "This policy initiative is a group of policies that ensures MySQL is compliant per FSI Landing Zones", "policyDefinitionGroups": [ { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json index 94f05727..dece9908 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json @@ -93,7 +93,7 @@ "version": "1.0.0", "category": "PostgreSQL" }, - "displayName": "Enforce secure-by-default MySQQL for Financial Services Industry", + "displayName": "Enforce secure-by-default PostgreSQL for Financial Services Industry", "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per FSI Landing Zones", "policyDefinitionGroups": [ { From 94334ad35be6d97cbf4533dfd09662f95e4e586e Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 15 Feb 2023 14:43:41 +0100 Subject: [PATCH 08/56] adding Azure Data Explorer --- ...mpliant-AutomationPolicySetDefinition.json | 98 ++++++------- ...liant-DataExplorerPolicySetDefinition.json | 131 ++++++++++++++++++ 2 files changed, 180 insertions(+), 49 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index 02f517e1..a356c634 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -14,55 +14,55 @@ "policyDefinitions": [ { "properties": { - "displayName": "Automation Account should have Managed Identity", - "mode": "Indexed", - "description": "Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code .", - "metadata": { - "version": "1.0.0", - "category": "Automation" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Automation/automationAccounts" - }, - { - "anyOf": [ - { - "field": "identity.type", - "exists": "false" - }, - { - "field": "identity.type", - "contains": "None" - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-AA-Managed-Identity" + "displayName": "Automation Account should have Managed Identity", + "mode": "Indexed", + "description": "Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code .", + "metadata": { + "version": "1.0.0", + "category": "Automation" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + { + "anyOf": [ + { + "field": "identity.type", + "exists": "false" + }, + { + "field": "identity.type", + "contains": "None" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AA-Managed-Identity" } ] } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json new file mode 100644 index 00000000..ada791c9 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json @@ -0,0 +1,131 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Data-Explorer", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "AZure Data Explorer", + }, + "displayName": "Enforce secure-by-default Data Explorer for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure Data Explorer is using secure encryption", + "description": "Policy to ensure Data Explorer is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Data Explorer is not accessible over the public internet", + "description": "Policy to ensure Data Explorer is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Data Explorer", + "description": "Policy to ensure Data Explorer is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Data Explorer is logging all events to Log Analytics", + "description": "Policy to ensure Data Explorer is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "adeCmk": { + "type": "string", + "defaultValue": "Deny" + }, + "adeEncryption": { + "type": "string", + "defaultValue": "Deny" + }, + "adeDoubleEncryption": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "policyDefinitionReferenceId": "Deny-ADE-Double-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "policyDefinitionReferenceId": "Deny-ADE-Encryption", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "policyDefinitionReferenceId": "Deny-ADE-Cmk", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeCmk')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file From 9166485da07d8295ad810b6a75f9f3afa86bfc96 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 17 Feb 2023 10:10:33 +0100 Subject: [PATCH 09/56] minor update --- .../Compliant-DataExplorerPolicySetDefinition.json | 2 +- .../Compliant-EventGridPolicySetDefinition.json | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json index ada791c9..e8540f7d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json @@ -43,7 +43,7 @@ "properties": { "metadata": { "version": "1.0.0", - "category": "AZure Data Explorer", + "category": "Azure Data Explorer" }, "displayName": "Enforce secure-by-default Data Explorer for Financial Services Industry", "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per FSI Landing Zones", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json index f7564d32..fcdd55f1 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json @@ -139,6 +139,18 @@ } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", From df05b722a8bca3a1fee86d82df743ab66492941f Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 17 Feb 2023 11:44:25 +0100 Subject: [PATCH 10/56] adding rbac --- .../Custom-RBACDefinitions.json | 123 ++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json new file mode 100644 index 00000000..ea841ab0 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json @@ -0,0 +1,123 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "roles": { + "roleDefinitions": [ + { + "properties": { + "roleName": "LZ Subscription Owner", + "description": "LZ Subscription Owner", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Network/vpnGateways/*", + "Microsoft.Network/expressRouteCircuits/*", + "Microsoft.Network/routeTables/write", + "Microsoft.Network/routeTables/join/*", + "Microsoft.Network/routeTables/delete", + "Microsoft.Network/routeTables/routes/write", + "Microsoft.Network/azurefirewalls/write", + "Microsoft.Network/azurefirewalls/delete", + "Microsoft.Network/firewallPolicies/write", + "Microsoft.Network/firewallPolicies/join/action", + "Microsoft.Network/firewallPolicies/delete", + "Microsoft.Network/firewallPolicies/ruleGroups/write", + "Microsoft.Network/firewallPolicies/ruleGroups/delete", + "Microsoft.Network/vpnSites/*", + "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/*", + "Microsoft.Network/networkSecurityGroups/securityRules/delete", + "Microsoft.Network/networkSecurityGroups/delete", + "Microsoft.Network/virtualNetworks/*/write", + "Microsoft.Network/virtualNetworks/*/delete" + ], + "dataActions": [], + "notDataActions": [] + } + ] + } + }, + { + "properties": { + "roleName": "Platform Contributors", + "description": "Custom Role that grants full access to manage all Platform resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/Delete", + "Microsoft.Authorization/*/Write", + "Microsoft.Authorization/elevateAccess/Action", + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Compute/galleries/share/action" + ], + "dataActions": [], + "notDataActions": [] + } + ] + } + }, + { + "properties": { + "roleName": "NetOps", + "description": "Platform-wide global connectivity management", + "type": "customRole", + "permissions": [ + { + "actions": [ + "*/read", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Network/*", + "Microsoft.ResourceHealth/availabilityStatuses/read", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Support/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleDefinitions", + "name": "[guid(tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix')), variables('roles').roleDefinitions[copyIndex()].properties.roleName)]", + "apiVersion": "2018-01-01-preview", + "copy": { + "name": "roleDefinitionCopy", + "count": "[length(variables('roles').roleDefinitions)]" + }, + "properties": { + "roleName": "[variables('roles').roleDefinitions[copyIndex()].properties.roleName]", + "description": "[variables('roles').roleDefinitions[copyIndex()].properties.description]", + "type": "[variables('roles').roleDefinitions[copyIndex()].properties.type]", + "permissions": "[variables('roles').roleDefinitions[copyIndex()].properties.permissions]", + "assignableScopes": [ + "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ] + } + } + ] +} \ No newline at end of file From 574e1fd532928096fe20780d1b0fc5787632a311 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 17 Feb 2023 11:45:44 +0100 Subject: [PATCH 11/56] formatting --- .../roleDefinitions/Custom-RBACDefinitions.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json index ea841ab0..063183a7 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json @@ -20,10 +20,10 @@ "actions": [ "*" ], - "notActions": [ + "notActions": [ "Microsoft.Blueprint/blueprintAssignments/write", "Microsoft.Blueprint/blueprintAssignments/delete", - "Microsoft.Network/vpnGateways/*", + "Microsoft.Network/vpnGateways/*", "Microsoft.Network/expressRouteCircuits/*", "Microsoft.Network/routeTables/write", "Microsoft.Network/routeTables/join/*", From 79379e348dd6830343433f4c6f669c49718fc22c Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 17 Feb 2023 12:16:58 +0100 Subject: [PATCH 12/56] adding ARM template for compliant services --- .../Compliant-AzureServiceARMtemplate.json | 122 ++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json new file mode 100644 index 00000000..03cb9b66 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AzureServiceARMtemplate.json @@ -0,0 +1,122 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + }, + "category": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + // This is the scope to the intermediate management group you should target the deployment to. + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + /* Provide the property bag for each policy definition in the policyDefinitions array. + { + "properties": {}, + "name": "Policy-Definition-Name" + } + */] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "[concat('Compliant-', parameters('category'))]", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "[parameters('category')]" + }, + "displayName": "[concat('Enforce secure-by-default ', parameters('category'), ' for Financial Services Industry')]", + "description": "[concat('This policy initiative is a group of policies that ensures ', parameters('category'), 'is compliant per FSI Landing Zones')]", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "[concat('Ensure ', parameters('category'), ' is using secure encryption')]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is using secure encryption')]" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "[concat('Ensure ', parameters('category'), ' is not accessible over the public internet')]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is not accessible over the public internet')]" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "[concat('Ensure usage of centralized identity and auhtorization system for ', parameters('category'))]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is not using local authorization')]" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "[concat('Ensure ', parameters('category'), ' is logging all events to Log Analytics')]", + "description": "[concat('Policy to ensure ', parameters('category'), ' is logging all events to Log Analytics workspace')]" + } + ], + "parameters": { + "exampleParam": { + "type": "string", + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + /* Example reference to custom policy declared in the variables. + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-FooBar-Example", + "groupNames": [ + "Encryption" + ], + "parameters": { + "effect": { + "value": "[[parameters('exampleParam')]" + } + } + },*/ + { + "policyDefinitionId": "", + "policyDefinitionReferenceId": "", + "groupNames": [ + "" + ], + "parameters": { + "effect": { + "value": "[[parameters('')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file From 2c6e64a1737349a36eeaae1c3b15d4c5e4d18a8f Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 19 Feb 2023 17:52:30 +0100 Subject: [PATCH 13/56] v2 refresh --- .../Compliant-ApimPolicyAssignment.json | 75 + .../Compliant-AppServicePolicyAssignment.json | 110 + .../Compliant-AutomationPolicyAssignment.json | 97 + .../Compliant-KeyVaultPolicyAssignment.json | 97 + .../DINE-ASCConfigPolicyAssignment.json | 60 +- .../DINE-ActivityLogPolicyAssignment.json | 27 +- .../DINE-DefenderForVms.json | 27 +- .../DINE-LogAnalyticsPolicyAssignment.json | 39 +- .../DINE-NSGFlowLogsPolicyAssignment.json | 34 +- ...E-ResourceDiagnosticsPolicyAssignment.json | 27 +- ...iant-APIManagementPolicySetDefinition.json | 30 + ...pliant-AppServicesPolicySetDefinition.json | 497 ++ ...mpliant-AutomationPolicySetDefinition.json | 30 + .../roleAssignments/roleAssignment.json | 2 +- .../subscriptionTemplates/policyIdentity.json | 97 + .../referenceImplementations/fsiPortalV2.json | 2498 ++++++++++ .../industryArmV2.json | 4124 +++++++++++++++++ 17 files changed, 7742 insertions(+), 129 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json create mode 100644 foundations/azure/referenceImplementations/fsiPortalV2.json create mode 100644 foundations/azure/referenceImplementations/industryArmV2.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json new file mode 100644 index 00000000..4dc42777 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "apimDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "apimLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantApim": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-API-Management')]" + }, + "policyAssignmentNames": { + "apim": "Compliant-Apim", + "description": "This policy initiative is a group of policies that ensures API Management is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default API Management for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').apim]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantApim]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "apimDiagnostics": { + "value": "[parameters('apimDiagnostics')]" + }, + "apimLogAnalyticsWorkspaceId": { + "value": "[parameters('apimLogAnalyticsWorkspaceId')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json new file mode 100644 index 00000000..2eae91e3 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json @@ -0,0 +1,110 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "appServiceAppsPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "functionDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "appServiceDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAppService": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-App-Service')]" + }, + "policyAssignmentNames": { + "appService": "Compliant-AppService", + "description": "This policy initiative is a group of policies that ensures App Service is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default App Service for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').appService]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAppService]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "appServiceAppsPrivateDnsZone": { + "value": "[parameters('appServiceAppsPrivateDnsZone')]" + }, + "appServiceAppsPrivateDnsZoneId": { + "value": "[parameters('appServiceAppsPrivateDnsZoneId')]" + }, + "functionDiagnostics": { + "value": "[parameters('functionDiagnostics')]" + }, + "functionLogAnalyticsWorkspaceId": { + "value": "[parameters('functionLogAnalyticsWorkspaceId')]" + }, + "appServiceDiagnostics": { + "value": "[parameters('appServiceDiagnostics')]" + }, + "appServiceLogAnalyticsWorkspaceId": { + "value": "[parameters('appServiceLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json new file mode 100644 index 00000000..a6a89189 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json @@ -0,0 +1,97 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "aaLogAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Provide the Log Analytics Workspace ID for Key Vault" + } + }, + "aaPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "Provide the Private DNS Zone ID for Key Vault" + } + }, + "aaDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aaPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAa": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Automation-Account')]" + }, + "policyAssignmentNames": { + "aa": "Compliant-Automation", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Automation Account for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').aa]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAa]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "aaLogAnalyticsWorkspaceId": { + "value": "[parameters('aaLogAnalyticsWorkspaceId')]" + }, + "aaPrivateDnsZoneId": { + "value": "[parameters('aaPrivateDnsZoneId')]" + }, + "aaPrivateDnsZone": { + "value": "[parameters('aaPrivateDnsZone')]" + }, + "aaDiagnostics": { + "value": "[parameters('aaDiagnostics')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json new file mode 100644 index 00000000..0958d8ba --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json @@ -0,0 +1,97 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "keyVaultLogAnalyticsWorkspaceId": { + "type": "string", + "metadata": { + "description": "Provide the Log Analytics Workspace ID for Key Vault" + } + }, + "keyVaultPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "Provide the Private DNS Zone ID for Key Vault" + } + }, + "keyVaultDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "keyVaultPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Key-Vault')]" + }, + "policyAssignmentNames": { + "keyVault": "Compliant-Key-Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Key Vault for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').keyVault]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantKeyVault]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "keyVaultLogAnalyticsWorkspaceId": { + "value": "[parameters('keyVaultLogAnalyticsWorkspaceId')]" + }, + "keyVaultPrivateDnsZoneId": { + "value": "[parameters('keyVaultPrivateDnsZoneId')]" + }, + "keyVaultPrivateDnsZone": { + "value": "[parameters('keyVaultPrivateDnsZone')]" + }, + "keyVaultDiagnostics": { + "value": "[parameters('keyVaultDiagnostics')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json index 5ca8a3aa..fdf65084 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json @@ -60,6 +60,30 @@ ], "defaultValue": "Disabled" }, + "enableAscForCSPM": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForCosmosDb": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForSynapse": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, "enableAscForKeyVault": { "type": "string", "allowedValues": [ @@ -107,6 +131,9 @@ "DeployIfNotExists" ], "defaultValue": "Disabled" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -117,20 +144,19 @@ "azureSecurity": "Deploy-ASCDF-Config", "description": "Deploy Microsoft Defender for Cloud and Security Contacts", "displayName": "Deploy Microsoft Defender for Cloud configuration" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployAzureSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurity))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureSecurity]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -159,6 +185,15 @@ "enableAscForAppServices": { "value": "[parameters('enableAscForAppServices')]" }, + "enableAscForCosmosDb": { + "value": "[parameters('enableAscForCosmosDb')]" + }, + "enableAscForSynapse": { + "value": "[parameters('enableAscForSynapse')]" + }, + "enableAscForCSPM": { + "value": "[parameters('enableAscForCSPM')]" + }, "enableAscForStorage": { "value": "[parameters('enableAscForStorage')]" }, @@ -182,19 +217,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAzureSecurity]", - "dependsOn": [ - "[variables('policyAssignmentNames').azureSecurity]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json index 1c901070..a4d2dc74 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -21,6 +21,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -31,20 +34,19 @@ "azureActivityLog": "Deploy-AzActivity-Log", "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployAzureActivityLog": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureActivityLog]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -60,19 +62,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAzureActivityLog]", - "dependsOn": [ - "[variables('policyAssignmentNames').azureActivityLog]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json index e5d81bd0..7b291c3b 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json @@ -16,6 +16,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -26,20 +29,19 @@ "defenderEndpoint": "Deploy-Defender", "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", "displayName": "Deploy Microsoft Defender for Endpoint agent" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployDefenderEndpoint": "[guid(concat(parameters('topLevelManagementGroupPrefix'), '-def', variables('policyAssignmentNames').defenderEndpoint))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').defenderEndpoint]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -48,19 +50,6 @@ "enforcementMode": "[parameters('enforcementMode')]", "parameters": {} } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployDefenderEndpoint]", - "dependsOn": [ - "[variables('policyAssignmentNames').defenderEndpoint]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').defenderEndpoint), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json index cccfafd1..24bfaedb 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -2,12 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." - } - }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -32,7 +26,8 @@ "type": "string", "metadata": { "description": "Provide the name for the Automation Account" - } + }, + "defaultValue": "" }, "workspaceRegion": { "type": "string", @@ -44,13 +39,17 @@ "type": "string", "metadata": { "description": "Select the region for the Automation Account" - } + }, + "defaultValue": "" }, "rgName": { "type": "string", "metadata": { "description": "Provide a name for the Resource Group to host Log Analytics and Azure Automation" } + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -61,20 +60,19 @@ "logAnalytics": "Deploy-Log-Analytics", "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.", "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring" - }, - "rbac": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "roleAssignmentNames": { - "deployLogAnalytics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').logAnalytics))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').loganalytics]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -102,19 +100,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployLogAnalytics]", - "dependsOn": [ - "[variables('policyAssignmentNames').loganalytics]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').loganalytics), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json index 2bcd30c9..dc0f8b79 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json @@ -38,6 +38,9 @@ "networkWatcherRg": { "type": "string", "defaultValue": "NetworkWatcherRg" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -48,20 +51,19 @@ "deployNsgFlowLogs": "Dine-Nsg-FlowLogs", "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period for a single Azure region. To use across additional regions, assign the policy per region.", "displayName": "Enforce NSG Flows are enabled to Storage and Log Analytics workspace" - }, - "roleDefinition": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "roleAssignmentNames": { - "deployNsgFlowLogs": "[guid(concat(parameters('toplevelManagementGroupPrefix'), deployment().name, variables('policyAssignmentNames').deployNsgFlowLogs))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployNsgFlowLogs]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -92,25 +94,7 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployNsgFlowLogs]", - "dependsOn": [ - "[variables('policyAssignmentNames').deployNsgFlowLogs]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('roleDefinition'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployNsgFlowLogs), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], - "outputs": { - "principalId": { - "type": "string", - "value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployNsgFlowLogs), '2019-09-01', 'Full').identity.principalId]" - } - } + "outputs": {} } \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json index f0e63923..b59a4a4e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json @@ -21,6 +21,9 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" } }, "variables": { @@ -31,20 +34,19 @@ "resourceDiagnostics": "Deploy-Resource-Diag", "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included", "displayName": "Deploy Diagnostic Settings to Azure Services" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployResourceRiagnostics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').resourceDiagnostics))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').resourceDiagnostics]", "location": "[deployment().location]", "identity": { - "type": "SystemAssigned" + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } }, "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -57,19 +59,6 @@ } } } - }, - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployResourceRiagnostics]", - "dependsOn": [ - "[variables('policyAssignmentNames').resourceDiagnostics]" - ], - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", - "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').resourceDiagnostics), '2019-09-01', 'Full' ).identity.principalId)]" - } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json index 8310a108..26f667fa 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json @@ -187,9 +187,39 @@ "apimSecrets": { "type": "string", "defaultValue": "Deny" + }, + "apimDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "apimLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "apimLogsCategory": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/567c93f7-3661-494f-a30f-0a94d9bfebf8", + "policyDefinitionReferenceId": "Dine-Apim-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('apimDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('apimLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('apimLogsCategory')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", "policyDefinitionReferenceId": "Deny-Apim-without-Kv", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json index adec7c43..1b833412 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json @@ -59,6 +59,451 @@ } }, "name": "Deny-ApiApp-Https" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "App Service" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-FunctionApp-Diagnostics" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service Web App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "App Service Web App" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + }, + "serverFarmId": { + "type": "String" + } + }, + "variables": { + "logs": { + "premiumTierLogs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ], + "otherTierLogs": [ + { + "category": "AppServiceHTTPLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": "[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]" + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + }, + "serverFarmId": { + "value": "[[field('Microsoft.Web/sites/serverFarmId')]" + } + } + } + } + } + } + } + }, + "name": "Dine-AppService-Diagnostics" } ] } @@ -115,6 +560,12 @@ "displayName": "Ensure usage of centralized identity and auhtorization system for App Service", "description": "Policy to ensure App Service is not using local authorization" }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure App Service is logging all events to Log Analytics", + "description": "Policy to ensure App Service is logging all events to Log Analytics workspace" + }, { "name": "Posture", "category": "Posture and Vulnerability Management", @@ -250,9 +701,55 @@ "apiAppHttps": { "type": "string", "defaultValue": "Deny" + }, + "functionDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "functionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "appServiceDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]", + "policyDefinitionReferenceId": "Dine-AppService-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('appServiceLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Dine-Function-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('functionLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", "policyDefinitionReferenceId": "Deny-Api-Apps-Https", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index a356c634..5d1c41d0 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -176,9 +176,39 @@ "autoHotPatch": { "type": "string", "defaultValue": "Deny" + }, + "aaDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "aaLogsCategory": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b797045a-b3cd-46e4-adc4-bbadb3381d78", + "policyDefinitionReferenceId": "Dine-AA-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('aaLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('aaLogsCategory')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json index 1ae305a2..1b91a1f8 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleAssignments/roleAssignment.json @@ -22,7 +22,7 @@ "resources": [ { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", + "apiVersion": "2022-04-01", "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), parameters('roleDefinitionId')))]", "properties": { "principalType": "[parameters('principalType')]", diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json new file mode 100644 index 00000000..fd56c81f --- /dev/null +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/policyIdentity.json @@ -0,0 +1,97 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "managedIdentityName": { + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + } + }, + "variables": { + "deploymentName": "[concat(parameters('resourceGroupName'), '-ua-identity-', parameters('location'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[variables('deploymentName')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "rgName": { + "value": "[parameters('resourceGroupName')]" + }, + "uaIdentityName": { + "value": "[parameters('managedIdentityName')]" + }, + "azureLocation": { + "value": "[parameters('location')]" + }, + "mgmtSubId": { + "value": "[parameters('managementSubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string" + }, + "uaIdentityName": { + "type": "string" + }, + "azureLocation": { + "type": "string" + }, + "mgmtSubId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "name": "[parameters('uaIdentityName')]", + "location": "[parameters('azureLocation')]" + } + ], + "outputs": { + "innerObjectId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('uaIdentityName')), '2023-01-31').principalId]" + } + } + } + } + } + ], + "outputs": { + "identityObjectId": { + "type": "string", + "value": "[reference(variables('deploymentName')).outputs.innerObjectId.value]" + } + } +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json new file mode 100644 index 00000000..d4a04199 --- /dev/null +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -0,0 +1,2498 @@ +{ + "$schema": "", + "view": { + "kind": "Form", + "properties": { + "title": "FSI Landing Zones on Microsoft Azure", + "isWizard": false, + "steps": [ + { + "name": "basics", + "label": "Deployment location", + "elements": [ + { + "name": "resourceScope", + "type": "Microsoft.Common.ResourceScope" + } + ] + }, + { + "name": "lzSettings", + "label": "Management Group and Subscription Organization", + "subLabel": { + "preValidation": "Provide a prefix for the management group structure that will be created.", + "postValidation": "Done" + }, + "bladeTitle": "Company prefix", + "elements": [ + { + "name": "info", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "FSI Landing Zones requires access at the tenant root (/) scope. Visit this link to ensure you have the appropriate RBAC permission to complete the deployment", + "uri": "https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin", + "style": "Info" + } + }, + { + "name": "mgSection", + "type": "Microsoft.Common.Section", + "label": "Management Groups", + "elements": [ + { + "name": "mgmtGroup", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "FSI Landing Zones will create the management group hierarchy under the Tenant Root Group with the prefix provided at this step, which will be used to establish a proven architecture for subscription organization and policy driven governance at scale.", + "link": { + "label": "Learn more", + "uri": "https://github.com/microsoft/industry/tree/main/fsi#fsi-landing-zones-on-microsoft-azure" + } + } + }, + { + "name": "esMgmtGroup", + "type": "Microsoft.Common.TextBox", + "label": "Management Group prefix", + "toolTip": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of FSI Landing Zones.", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,10}$", + "validationMessage": "The prefix must be 1-10 characters." + } + } + ], + "visible": true + }, + { + "name": "subSection", + "type": "Microsoft.Common.Section", + "label": "Subscription Organization", + "elements": [ + { + "name": "subOrg", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "FSI Landing Zones recommends dedidated subscriptions for the Azure platform functionality, such as Security, Governance, Compliance, Network Connectivity, and Identity and Access. This enables the organization to scale the Azure platform and the workloads in the landing zones independently regardless of future scale-point.", + "link": { + "label": "Learn more", + "uri": "https://github.com/microsoft/industry/blob/main/fsi/docs/architectureAndDesign.md#architecture-and-design" + } + } + }, + { + "name": "subOrgsOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select dedicated subscriptions or a single subscription for FSI Landing Zones platform resources", + "defaultValue": "Dedicated (recommended)", + "toolTip": "Dedicated subscriptions will require separate Azure subscriptions for platform resources and is the recommended option for production environments. The single subscription option will deploy all platform resources on a single subscription.", + "constraints": { + "allowedValues": [ + { + "label": "Dedicated (recommended)", + "value": "Dedicated" + }, + { + "label": "Single", + "value": "Single" + } + ] + }, + "visible": true + } + ], + "visible": true + }, + { + "name": "esSingleSubSection", + "type": "Microsoft.Common.Section", + "label": "Single platform subscription", + "elements": [ + { + "name": "subWarning", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Warning", + "text": "Dedicated subscriptions are recommended for the various platform components to ensure scale, sustainability, and segregation of duties, and especially around networking. However, a single subscription can also be used in case this is not a concern (e.g., small organizations, or testing purposes).", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + }, + { + "name": "singleSubText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the single subscription that will be used for all platform resources during deployment, for security, logging, connectivity, and identity." + } + }, + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esSingleSub", + "label": "Single platform subscription" + } + ], + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]" + } + ] + }, + { + "name": "esGoalState", + "label": "Management and Monitoring", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "To enable platform management and monitoring, you must allocate a dedicated Azure Subscription. Please note, this Subscription will be moved to the platform Management Group, and ARM will deploy a Log Analytics workspace and requisite settings. We recommend using a new Subscription with no existing resources. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "singlePlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]", + "options": { + "text": "To enable management and monitoring, you can configure core infra such as Log Analytics and additional monitoring solutions to your dedicated platform subscription. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "esMgmtSubSection", + "type": "Microsoft.Common.Section", + "label": "Management subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esMgmtSub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esGoalState').azMonSection.esLogAnalytics, 'Yes'), not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single')))]" + }, + { + "name": "azMonSection", + "type": "Microsoft.Common.Section", + "label": "Azure Monitor", + "elements": [ + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Azure Monitor with Log Analytics provides the core infrastructure to enable platform observability, security, and log retention for the FSI Landing Zones. You can create a dedicated Log Analytics workspace and enable curated analytical solutions, that will also intersect with Microsoft Defender for Cloud and Microsoft Sentinel.", + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview" + } + } + }, + { + "name": "esLogAnalytics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Log Analytics workspace and enable monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esLogRetention", + "type": "Microsoft.Common.Slider", + "min": 30, + "max": 730, + "label": "Log Analytics Data Retention (days)", + "subLabel": "Days", + "defaultValue": 30, + "showStepMarkers": false, + "toolTip": "Select retention days for Azure logs. Default is 30 days. If longer retention is required, you can optionally configure Log Analytics data export to a Storage Account or an Event Hub namespace.", + "constraints": { + "required": false + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "monitoring", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Monitor solutions you will enable for your Log Analytics workspace", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions" + } + } + }, + { + "name": "esAgentSolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Agent Health solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esChangeTracking", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Change Tracking solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esUpdateMgmt", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Update Management solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esActivityLog", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Activity Log solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esVmInsights", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VM Insights solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esServiceMap", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Service Map solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esSqlAssessment", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy SQL Assessment solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, the solution will be deployed to the Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + } + ], + "visible": true + } + ] + }, + { + "name": "esGovState", + "label": "Security, Governance, and Compliance", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGovernance", + "elements": [ + { + "name": "govInfo", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "To enable platform security, governance, and compliance, you can configure Microsoft Cloud Security Benchmark, Compliant and Secure by-default Azure services, Microsoft Defender for Cloud, and additional governance solutions. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://learn.microsoft.com/security/benchmark/azure/overview", + "style": "Info" + } + }, + { + "name": "asbSection", + "type": "Microsoft.Common.Section", + "label": "Microsoft Cloud Security Benchmark", + "elements": [] + }, + { + "name": "mcsbText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "The Microsoft Cloud Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).", + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/security/benchmark/azure/overview" + } + } + }, + { + "name": "mcsbPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign Microsoft Cloud Security Benchmark Policy Initiative", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, the MCSB will be assigned at the intermediate root management group to provide an aggregated compliance view for the FSI Landing Zones architecture.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "secureByDefaultSection", + "type": "Microsoft.Common.Section", + "label": "Compliant and Secure by-default", + "elements": [] + }, + { + "name": "secureByDefaultText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "FSI Landing Zones enables a 'compliant and secure by-default' landing zones for your Azure services. Select the Azure services you want to have enforced as 'secure by-default' via Azure policy to satisfy regulatory requirements", + "link": { + "label": "Learn more about 'secure by-default' for FSI Landing Zones", + "uri": "https://github.com/microsoft/industry/blob/main/fsi/docs/securityGovernanceAndCompliance.md#compliant-and-secure-by-default-fsi-landing-zones" + } + } + }, + { + "name": "secureSvc", + "type": "Microsoft.Common.DropDown", + "label": "Secure by-default Azure Services", + "placeholder": "", + "defaultValue": [ + "API Management", + "App Service", + "Automation", + "Backup", + "Key Vault", + "SQL", + "Service Bus", + "Cosmos DB", + "Open AI", + "Event Grid", + "Event Hub", + "Databricks", + "Stream Analytics", + "Networking", + "Storage Account", + "Virtual Machine" + ], + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "defaultDescription": "Select the Azure services that must be secure by-default", + "constraints": { + "allowedValues": [ + { + "label": "API Management", + "description": "Azure policies will ensure secure by-default compliance for API Management, such as enforcement of strong protocols, encryption, access via private endpoint, and centralized logging.", + "value": "Apim" + }, + { + "label": "App Service", + "description": "Azure policies will ensure secure by-default compliance for App Service (including Function Apps), such as enforcement of strong protocols, access via private endpoint, and centralized logging.", + "value": "AppService" + }, + { + "label": "Automation", + "description": "Azure policies will ensure secure by-default compliance for Automation accounts, enforce access via private endpoints, encyrption of variables and centralized logging.", + "value": "Automation" + }, + { + "label": "Backup", + "description": "Azure policies will ensure secure by-default compliance for Backup and Recovery Services vaults, enforce immutable backups, encryption, and private over private endpoint.", + "value": "Backup" + }, + { + "label": "Key Vault", + "description": "Azure policies will ensure secure by-default compliance for Key Vaults, secrets, keys, and certificates, enforce access via private endpoints, purge protection, and centralized logging.", + "value": "KeyVault" + }, + { + "label": "SQL", + "description": "Azure policies will ensure secure by-default compliance for SQL servers and SQL databases, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", + "value": "Sql" + }, + { + "label": "Service Bus", + "description": "Azure policies will ensure secure by-default compliance for Service Bus, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "ServiceBus" + }, + { + "label": "Cosmos DB", + "description": "Enforce secure by-default Cosmos DB within the landing zone", + "value": "CosmosDb" + }, + { + "label": "Open AI", + "description": "Enforce secure by-default Open AI (Cognitive Services) within the landing zone", + "value": "OpenAi" + }, + { + "label": "Event Grid", + "description": "Enforce secure by-default Event Grid within the landing zone", + "value": "EventGrid" + }, + { + "label": "Event Hub", + "description": "Enforce secure by-default Event Hub within the landing zone", + "value": "EventHub" + }, + { + "label": "Databricks", + "description": "Enforce secure by-default Databricks within the landing zone", + "value": "Databricks" + }, + { + "label": "Stream Analytics", + "description": "Enforce secure by-default Stream Analytics within the landing zone", + "value": "StreamAnalytics" + }, + { + "label": "Networking", + "description": "Enforce secure by-default Networks within the landing zone", + "value": "Networking" + }, + { + "label": "Storage Account", + "description": "Enforce secure by-default Storage Account within the landing zone", + "value": "StorageAccounts" + }, + { + "label": "Virtual Machine", + "description": "Enforce secure by-default Virtual Machines within the landing zone", + "value": "VMs" + } + ], + "required": false + }, + "visible": true + }, + { + "name": "mcDefenderSection", + "type": "Microsoft.Common.Section", + "label": "Microsoft Defender for Cloud", + "elements": [], + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "mcDefenderText", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Microsoft Defender for Cloud solutions you will enable.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/security/fundamentals/overview" + } + } + }, + { + "name": "defenderEndpoint", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Defender for Endpoint for Windows and Linux VMs", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will enforce Defender for Endpoint for Windows and Linux VMs", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esAsc", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Defender for Cloud and enable security monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Azure Policy will enforce Defender for Cloud and enable security monitoring for your platform and resources", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esAscEmail", + "type": "Microsoft.Common.TextBox", + "label": "Microsoft Defender for Cloud Email Contact", + "toolTip": "Email address to get email notifications from Azure Security Center", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "defaultValue": "", + "constraints": { + "required": "[equals(steps('esGovState').esAsc,'Yes')]", + "regex": "^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", + "validationMessage": "Please provide a valid email address" + } + }, + { + "name": "esAscVms", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for servers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for all servers.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscOssDb", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for open-source relational databases", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for open-source relational databases.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscCSPM", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for CSPM", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for CSPM.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscCosmosDb", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Cosmos DB", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Cosmos DB.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscSynapse", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Synapse", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Synapse.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscApps", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for AppServices", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for AppServices.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Storage", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Storage.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscSql", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Azure SQL Database", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Azure SQL Database.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscSqlOnVm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for SQL servers on machines", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for SQL servers on machines.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscKeyVault", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Key Vault", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Key Vault.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscArm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Azure Resource Manager", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Resource Manager.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for DNS", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for DNS.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esAscContainers", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Containers (Kubernetes and Registries)", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Containers.", + "visible": "[equals(steps('esGovState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "esSecuritySolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Sentinel", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + } + ] + }, + { + "name": "esConnectivityGoalState", + "label": "Network Connectivity and Topology", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "To enable connectivity for Azure and on-premises, you must allocate a dedicated connectivity Subscription. Please note, this Subscription will be moved to the connectivity Management Group, and ARM will deploy the first hub virtual network for either a hub and spoke or Virtual WAN network topology. Additional networking platform resources such as gateways or Azure Firewall can be deployed. We recommend using a new dedicated Subscription with no existing resources. When you need to scale-out networking, either into the same region and same subscription, or to a new region or a separate connectivity subscription, use the following link to deploy and scale-out.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "singlePlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]", + "options": { + "text": "To enable network topology and connectivity for Azure and on-premises, you can select the preferred networking topology, and deploy this into the dedicated platform subscription. Additional networking platform resources such as gateways or Azure Firewall can also be deployed.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "connSection", + "type": "Microsoft.Common.Section", + "label": "Azure Connectivity Configuration", + "elements": [ + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "The FSI Landing Zones provides the foundational networking and connectivity services for deploying telco applications and services on Microsoft Azure at scale. Select the preferred networking topology and services for Azure and the Distributed Edge.", + "link": { + "label": "Learn more", + "uri": "https://github.com/microsoft/industry/blob/main/telco/docs/telco-networking.md" + } + } + } + ], + "visible": true + }, + { + "name": "esHub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy networking topology for Azure and on-premises", + "defaultValue": "No", + "toolTip": "Select the preferred network topology. If third-party NVA is a requirement, you must deploy this into the connectivity subscription post the deployment.", + "constraints": { + "allowedValues": [ + { + "label": "Hub and spoke (customer managed)", + "value": "vhub" + }, + { + "label": "Virtual WAN (Microsoft managed)", + "value": "vwan" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNwSubSection", + "type": "Microsoft.Common.Section", + "label": "Connectivity subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwSub", + "label": "Connectivity subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single')))]" + }, + { + "name": "esAddressHubVWAN", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for vWAN hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/23)", + "defaultValue": "10.100.0.0/23", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('esConnectivityGoalState').esHub, 'nva')), not(equals(steps('esConnectivityGoalState').esHub, 'vhub')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAddressHubHS", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for hub virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/16)", + "defaultValue": "10.100.0.0/16", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('esConnectivityGoalState').esHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esLocationsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "locations?api-version=2019-11-01" + } + }, + { + "name": "esNwLocation", + "type": "Microsoft.Common.DropDown", + "label": "Region for the first networking hub", + "filter": true, + "toolTip": "Select the target region for you connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "constraints": { + "allowedValues": "[map(steps('esConnectivityGoalState').esLocationsApi.value,(item) => parse(concat('{\"label\":\"',item.displayName,'\",\"value\":\"',item.name,'\"}')))]", + "required": true + }, + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]" + }, + { + "name": "anmSection", + "type": "Microsoft.Common.Section", + "label": "Enable VNet connectivity with Azure Virtual Network Manager (PREVIEW)", + "visible": "[and(equals(steps('esConnectivityGoalState').esHub, 'vhub'), contains(split('northcentrals,westus2,eastus,eastus2,northeurope,westeurope,francecentral', ','), steps('esConnectivityGoalState').esNwLocation))]", + "elements": [ + { + "name": "anmText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Azure Virtual Network Manager (Preview) is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/virtual-network-manager/overview" + } + } + }, + { + "name": "anmOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use Azure Virtual Network Manager to manage virtual networks", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create an Azure Virtual Network Manager instance in the connectivity subscription.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "esPrivateDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create Private DNS Zones for Azure PaaS services", + "defaultValue": "Yes (recommended)", + "visible": "[equals(steps('esConnectivityGoalState').esHub, 'vhub')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create Private DNS Zones for Azure PaaS services", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esVpnGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional VPN Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esGwNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esGwAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" + }, + { + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" + }, + { + "label": "VpnGw4AZ", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" + } + ] + } + }, + { + "name": "esGwRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 100 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esVwanGwScaleUnits", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "Select the VPN Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 500 Mbps x2", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 1 Gbps x 2", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 1.5 Gbps x 2", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 2 Gbps x 2", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 2.5 Gbps x 2", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 3 Gbps x 2", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 3.5 Gbps x 2", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 4 Gbps x 2", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 4.5 Gbps x 2", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 5 Gbps x 2", + "value": "10" + }, + { + "label": "11 scale units", + "description": "Supports 5.5 Gbps x 2", + "value": "11" + }, + { + "label": "12 scale units", + "description": "Supports 6 Gbps x 2", + "value": "12" + }, + { + "label": "13 scale units", + "description": "Supports 6.5 Gbps x 2", + "value": "13" + }, + { + "label": "14 scale units", + "description": "Supports 7 Gbps x 2", + "value": "14" + }, + { + "label": "15 scale units", + "description": "Supports 7.5 Gbps x 2", + "value": "15" + }, + { + "label": "16 scale units", + "description": "Supports 8 Gbps x 2", + "value": "16" + }, + { + "label": "17 scale units", + "description": "Supports 8.5 Gbps x 2", + "value": "17" + }, + { + "label": "18 scale units", + "description": "Supports 9 Gbps x 2", + "value": "18" + }, + { + "label": "19 scale units", + "description": "Supports 9.5 Gbps x 2", + "value": "19" + }, + { + "label": "20 scale units", + "description": "Supports 10 Gbps x 2", + "value": "20" + } + ] + } + }, + { + "name": "esAddressVpnOrEr", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for VPN/ExpressRoute Gateways", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.1.0/24)", + "defaultValue": "10.100.1.0/24", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'vwan')), or(equals(steps('esConnectivityGoalState').esErGw, 'Yes'),equals(steps('esConnectivityGoalState').esVpnGw, 'Yes')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-7]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,27]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').esAddressVpnOrEr, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esErGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy ExpressRoute gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esErRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional ExpressRoute Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esErAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" + }, + { + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" + }, + { + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" + } + ] + } + }, + { + "name": "esErRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esErNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esVwanErScaleUnits", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "Select the ExpressRoute Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 2 Gbps", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 4 Gbps", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 6 Gbps", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 8 Gbps", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 10 Gbps", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 12 Gbps", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 14 Gbps", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 16 Gbps", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 18 Gbps", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 20 Gbps", + "value": "10" + } + ] + } + }, + { + "name": "esAzFw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFwDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Firewall as a DNS proxy", + "defaultValue": "No", + "visible": "[equals(steps('esConnectivityGoalState').esAzFw, 'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFwSku", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFw, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFwAz", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esHub, 'vhub'), and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "esAddressFw", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/24)", + "defaultValue": "10.100.0.0/24", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFw, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFw, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFw, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').esAddressFw, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "nwSecurity", + "type": "Microsoft.Common.Section", + "label": "Network Security and Monitoring", + "elements": [ + { + "name": "monitoring", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Network Security and Monitoring solutions you will enable for your platform and landing zones", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions" + } + } + }, + { + "name": "esDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Protection Standard", + "defaultValue": "Yes (recommended)", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Protection Standard will be enabled and protect your Azure resources from denial of service threats.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNetworkWatcher", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Network Watcher observability", + "defaultValue": "Yes (recommended)", + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, Network Watcher will be enabled for all virtual networks for the platform and the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNsgFlowLogs", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable NSG Flow Logs and Traffic Analytics", + "defaultValue": "Yes (recommended)", + "visible": "[and(equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes'), equals(steps('esConnectivityGoalState').nwSecurity.esNetworkWatcher, 'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, NSG Flow Logs will be enabled for all NSGs for the platform and the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "exemptionInfo", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('esConnectivityGoalState').nwSecurity.esNsgFlowLogs, 'Yes'), equals(steps('esGoalState').mcsbPolicy, 'Yes'))]", + "options": { + "icon": "Info", + "text": "NSG Flow Logs requires a storage account accessible over a public endpoint, that will be created in the management subscription only trusting known Azure services. A policy exemption will be created to bypass the Microsoft Cloud Security Benchmark recommendations for the storage account.", + "uri": "https://www.microsoft.com" + } + } + ], + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + } + ] + }, + { + "name": "esIdentityGoalState", + "label": "Identity and Access", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "singlePlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subSection.subOrgsOption, 'Single')]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "authNauthZsection", + "type": "Microsoft.Common.Section", + "label": "Authentication and Authorization for workloads", + "elements": [], + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]" + }, + { + "name": "authNauthZtexts", + "type": "Microsoft.Common.TextBlock", + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]", + "options": { + "text": "You can optionally bring in a dedicated subscription for identity, which will serve as a placeholder for your domain controller virtual machines. Select 'No' if you want to do this later.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "identitySub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Configure dedicated Identity subscription", + "defaultValue": "Yes", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]" + }, + { + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esIdentitySub", + "label": "Management subscription" + } + ], + "visible": "[and(not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single')), equals(steps('esIdentityGoalState').identitySub,'Yes'))]" + }, + { + "name": "esIdentityGovSection", + "type": "Microsoft.Common.Section", + "label": "Identity Governance", + "elements": [], + "visible": true + }, + { + "name": "identitypolicies", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the the recommended policies you will assign to your identity management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "esIdDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdDenySubnetNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdDenyPublicIp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of public IP", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "not(equals(steps('lzSettings').subSection.subOrgsOption, 'Single'))]" + }, + { + "name": "esIdAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdentityConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('esIdentityGoalState').identitySub, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + }, + { + "name": "esIdentityCidr", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.110.0.0/24", + "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-9]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." + } + ] + }, + "visible": "[and(equals(steps('esIdentityGoalState').esIdentityConnectivity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + } + ] + }, + { + "name": "esPlayground", + "label": "Playground", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "playExplore", + "elements": [ + { + "name": "playgroundInfo", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "To accelerate innovation and transformation, subscriptions can be moved into the playground management group, completely separated from everything else where developers can explore Azure services, collaborate, and innovate quicker in a safe and reliable way. Further, subscriptions in Playground management group can be used to expedite service enablement, to validate Azure services against best practices such as Microsoft Cloud Security Benchmark to ensure they can meet the compliance before being deployed to a landing zone.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "playgroundText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to playground management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "playgroundApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "playgroundSub", + "type": "Microsoft.Common.DropDown", + "label": "Playground subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(filter(steps('esPlayground').playgroundApi.value, (sub) => equals(sub.state, 'Enabled')), (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + }, + { + "name": "playgroundPolicySection", + "type": "Microsoft.Common.Section", + "label": "Assign recommended Azure policies for playground subscriptions", + "elements": [] + }, + { + "name": "playgroundPolicyText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the recommended policies you will assign to your playground subscriptions. The policies listed here will ensure that the boundaries between playground and landing zones can be crossed.", + "link": { + "label": "Learn more", + "uri": "https://placeholder.com" + } + } + }, + { + "name": "vnetPeeringPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent any Virtual Network Peering to and from the playground subscriptions", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your playground resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "budgetPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure there is a budget associated with each playground subscription to control cost", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your playground resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "budgetAmount", + "type": "Microsoft.Common.Slider", + "min": 1000, + "max": 10000, + "label": "Specify monthly budget amount (subject to your currency)", + "subLabel": "", + "defaultValue": 1000, + "showStepMarkers": false, + "toolTip": "Select amount for the budget policy.", + "constraints": { + "required": false + }, + "visible": "[equals(steps('esPlayground').budgetPolicy, 'Yes')]" + }, + { + "name": "vnicPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent network interfaces to have public IPs", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent usage of public IP for network interfaces", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ] + }, + { + "name": "lzGoalState", + "label": "Landing Zones", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "FSI Landing Zones enables curated landing zones for workloads categorized as corp connected (e.g., connected to corporate network and enforcing private endpoints), online (e.g., workloads requiring public endpoints). You can optionally provide subscriptions for these first landing zones and assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", + "style": "Info" + } + }, + { + "name": "corpLz", + "type": "Microsoft.Common.Section", + "label": "Corp landing zones", + "visible": true, + "elements": [ + { + "name": "corpText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to corp management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "esLzConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Connect corp landing zones to the connectivity hub during the deployment (optional)?", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esConnectivityGoalState').esHub, 'vhub')]" + }, + { + "name": "lzCorpSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esCorpLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Corp landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[or(or(equals(steps('lzGoalState').corpLz.esLzConnectivity, 'No'), equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esHub, 'vwan'), equals(steps('lzGoalState').corpLz.esLzConnectivity, 'No'))]", + "constraints": { + "allowedValues": "[map(filter(steps('lzGoalState').corpLz.lzCorpSubsApi.value, (sub) => equals(sub.state, 'Enabled')), (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + }, + { + "name": "lzConnectedSubs", + "type": "Microsoft.Common.EditableGrid", + "ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering", + "label": "Corp connected landing zone subscriptions (optional)", + "visible": "[equals(steps('lzGoalState').corpLz.esLzConnectivity, 'Yes')]", + "constraints": { + "width": "Full", + "rows": { + "count": { + "min": 1, + "max": 10 + } + }, + "columns": [ + { + "id": "subs", + "header": "Subscription", + "width": "1fr", + "element": { + "name": "esLzConnectedSub", + "type": "Microsoft.Common.DropDown", + "label": "Landing zone subscription", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": false, + "constraints": { + "allowedValues": "[map(steps('lzGoalState').corpLz.lzSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + } + }, + { + "id": "addresses", + "header": "Virtual Network Address space", + "width": "1fr", + "element": { + "type": "Microsoft.Common.TextBox", + "placeholder": "Ensure there are no overlapping IP addresses!", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + } + } + ] + } + }, + { + "name": "lzSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + } + ] + }, + { + "name": "onlineLz", + "type": "Microsoft.Common.Section", + "label": "Online landing zones", + "visible": true, + "elements": [ + { + "name": "onlineText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to online management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "lzOnlineSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esOnlineLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Online landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(filter(steps('lzGoalState').onlineLz.lzOnlineSubsApi.value, (sub) => equals(sub.state, 'Enabled')), (sub) => parse(concat('{\"label\":\"',sub.displayName,'\",\"description\":\"',sub.subscriptionId,'\",\"value\":\"',toLower(sub.subscriptionId),'\"}')))]", + "required": false + } + } + ] + } + ] + } + ] + }, + "outputs": { + "parameters": { + "industry": "fsi", + "subnetMaskForGw": "[steps('esConnectivityGoalState').esAddressVpnOrEr]", + "subnetMaskForAzFw": "[steps('esConnectivityGoalState').esAddressFw]", + "enableErGw": "[steps('esConnectivityGoalState').esErGw]", + "enableVpnGw": "[steps('esConnectivityGoalState').esVpnGw]", + "enableHub": "[steps('esConnectivityGoalState').esHub]", + "enableDdoS": "[steps('esConnectivityGoalState').nwSecurity.esDdoS]", + "connectivitySubscriptionId": "[if(not(equals(steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,'')]", + "enableAzFw": "[steps('esConnectivityGoalState').esAzFw]", + "enableAzFwDnsProxy": "[steps('esConnectivityGoalState').esAzFwDns]", + "addressPrefix": "[coalesce(steps('esConnectivityGoalState').esAddressHubVWAN, steps('esConnectivityGoalState').esAddressHubHS, '')]", + "location": "[steps('esConnectivityGoalState').esNwLocation]", + "managementSubscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", + "identitySubscriptionId": "[if(or(not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,'')]", + "onlineLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').onlineLz.esOnlineLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').onlineLz.esOnlineLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').onlineLz.esOnlineLzSub,'')]", + "corpLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.esCorpLzSub,'')]", + "enableLogAnalytics": "[steps('esGoalState').azMonSection.esLogAnalytics]", + "enableMcsbPolicy": "[steps('esGovState').mcsbPolicy]", + "denyRdpForIdentity": "[steps('esIdentityGoalState').esIdDenyRdp]", + "denySubnetWithoutNsgForIdentity": "[steps('esIdentityGoalState').esIdDenySubnetNsg]", + "denyPipForIdentity": "[steps('esIdentityGoalState').esIdDenyPublicIp]", + "enableVmBackupForIdentity": "[steps('esIdentityGoalState').esIdAzBackup]", + "enableDefenderEndpoint": "[steps('esGovState').defenderEndpoint]", + "enableAsc": "[steps('esGovState').esAsc]", + "emailContactAsc": "[steps('esGovState').esAscEmail]", + "enableAscForServers": "[steps('esGovState').esAscVms]", + "enableAscForCSPM": "[steps('esGovState').esAscCSPM]", + "enableAscForCosmosDb": "[steps('esGovState').esAscCosmosDb]", + "enableAscForSynapse": "[steps('esGovState').esAscSynapse]", + "enableAscForOssDb": "[steps('esGovState').esAscOssDb]", + "enableAscForAppServices": "[steps('esGovState').esAscApps]", + "enableAscForStorage": "[steps('esGovState').esAscStorage]", + "enableAscForSql": "[steps('esGovState').esAscSql]", + "enableAscForSqlOnVm": "[steps('esGovState').esAscSqlOnVm]", + "enableAscForKeyVault": "[steps('esGovState').esAscKeyVault]", + "enableAscForArm": "[steps('esGovState').esAscArm]", + "enableAscForDns": "[steps('esGovState').esAscDns]", + "enableAscForContainers": "[steps('esGovState').esAscContainers]", + "enableSecuritySolution": "[steps('esGovState').esSecuritySolution]", + "enableAgentHealth": "[steps('esGoalState').azMonSection.esAgentSolution]", + "enableChangeTracking": "[steps('esGoalState').azMonSection.esChangeTracking]", + "enableUpdateMgmt": "[steps('esGoalState').azMonSection.esUpdateMgmt]", + "enableActivityLog": "[steps('esGoalState').azMonSection.esActivityLog]", + "enableVmInsights": "[steps('esGoalState').azMonSection.esVmInsights]", + "enableServiceMap": "[steps('esGoalState').azMonSection.esServiceMap]", + "denyVnetPeering": "[steps('esPlayground').vnetPeeringPolicy]", + "enableBudget": "[steps('esPlayground').budgetPolicy]", + "budgetAmount": "[string(steps('esPlayground').budgetAmount)]", + "playgroundSubscriptionId": "[steps('esPlayground').playgroundSub]", + "enableSqlAssessment": "[steps('esGoalState').azMonSection.esSqlAssessment]", + "industryPrefix": "[steps('lzSettings').mgSection.esMgmtGroup]", + "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "firewallSku": "[steps('esConnectivityGoalState').esAzFwSku]", + "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", + "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", + "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", + "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", + "erAzSku": "[steps('esConnectivityGoalState').esErAzSku]", + "erRegionalSku": "[if(empty(steps('esConnectivityGoalState').esErRegionalSku), steps('esConnectivityGoalState').esErNoAzSku, steps('esConnectivityGoalState').esErRegionalSku)]", + "singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]", + "retentionInDays": "[string(steps('esGoalState').azMonSection.esLogRetention)]", + "expressRouteScaleUnit": "[steps('esConnectivityGoalState').esVwanErScaleUnits]", + "vpnGateWayScaleUnit": "[steps('esConnectivityGoalState').esVwanGwScaleUnits]", + "enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]", + "identityAddressPrefix": "[steps('esIdentityGoalState').esIdentityCidr]", + "enableNetworkWatcher": "[steps('esConnectivityGoalState').nwSecurity.esNetworkWatcher]", + "enableNsgFlowLogs": "[steps('esConnectivityGoalState').nwSecurity.esNsgFlowLogs]", + "enableAvnm": "[steps('esConnectivityGoalState').anmSection.anmOption]", + "compliantAzureServices": "[steps('esGovState').secureSvc]", + "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.lzConnectedSubs,'')]" + }, + "kind": "Tenant", + "location": "[steps('basics').resourceScope.location.name]" + } + } +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json new file mode 100644 index 00000000..49e305d8 --- /dev/null +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -0,0 +1,4124 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "industry": { + "type": "string", + "allowedValues": [ + "fsi", + "telco" + ], + "metadata": { + "description": "Azure Portal UX to determine which industry cloud foundation to be deployed" + } + }, + "industryPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "managementSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for management. If you don't want to bring a subscription, leave this parameter empty as is." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for networking." + } + }, + "identitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for identity." + } + }, + "denySubnetWithoutNsgForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "denyRdpForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "denyPipForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "enableVmBackupForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "playgroundSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move into your playground management group." + } + }, + "onlineLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones." + } + }, + "corpLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones." + } + }, + "corpConnectedLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub." + } + }, + "enableLogAnalytics": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "retentionInDays": { + "type": "string", + "defaultValue": "" + }, + "enableMcsbPolicy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "descriptione": "If 'Yes' is selected, Microsoft Cloud Security Benchmark policy initiative will be assigned at the intermediate root management group, providing all-up governance view for FSI Landing Zones." + } + }, + "enableAsc": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "emailContactAsc": { + "type": "string", + "metadata": { + "description": "Email address for Azure Security Center contact details." + }, + "defaultValue": "" + }, + "enableAscForServers": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForCSPM": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForCosmosDb": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForSynapse": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "enableAscForAppServices": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForStorage": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForSql": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForSqlOnVm": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForKeyVault": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForArm": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForDns": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForContainers": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableAscForOssDb": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, + "enableDefenderEndpoint": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce Defender for Endpoint" + } + }, + "enableSecuritySolution": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableAgentHealth": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableChangeTracking": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableUpdateMgmt": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableActivityLog": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableVmInsights": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableServiceMap": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableSqlAssessment": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "addressPrefix": { + "type": "string", + "defaultValue": "" + }, + "enableVpnGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableErGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "vwan", + "nva", + "No" + ], + "defaultValue": "No" + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "enablePrivateDnsZones": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForGw": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "gwAzSku": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "erAzSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallZones": { + "type": "array", + "defaultValue": [] + }, + "singlePlatformSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36 + }, + "expressRouteScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "vpnGateWayScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "identityAddressPrefix": { + "type": "string", + "defaultValue": "" + }, + "denyVnetPeering": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "No", + "Yes" + ] + }, + "enableBudget": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "budgetAmount": { + "type": "string", + "defaultValue": "1000" + }, + "enableNetworkWatcher": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableNsgFlowLogs": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableAvnm": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "compliantAzureServices": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Select the Azure service(s) that should be secure by-default" + } + } + }, + "variables": { + // Declaring the prescriptive management group structure that will be used in the scope construction + "mgmtGroups": { + "industryRoot": "[parameters('industryPrefix')]", + "platform": "[concat(parameters('industryPrefix'), '-', 'platform')]", + "management": "[concat(parameters('industryPrefix'), '-', 'management')]", + "connectivity": "[concat(parameters('industryPrefix'), '-', 'connectivity')]", + "identity": "[concat(parameters('industryPrefix'), '-', 'identity')]", + "playground": "[concat(parameters('industryPrefix'), '-', 'playground')]", + "lzs": "[concat(parameters('industryPrefix'), '-', 'landingzones')]", + "corp": "[concat(parameters('industryPrefix'), '-', 'corp')]", + "online": "[concat(parameters('industryPrefix'), '-', 'online')]" + }, + // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc. + "scopes": { + "industryRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').industryRoot)]", + "platformManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').platform)]", + "managementManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').management)]", + "connectivityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').connectivity)]", + "identityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').identity)]", + "playgroundManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').playground)]", + "lzsManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", + "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", + "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" + }, + // Declaring all required deployment uri's used for deployments of composite ARM templates for FSI + "azPrivateDnsPolicyMapping": { + "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json", + "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxDINE-PrivateDNSZonesPolicySetDefinition.json" + }, + "azPrivateDnsArmTemplate": "[variables('azPrivateDnsPolicyMapping')[environment().resourceManager]]", + "azPublicEndpointsPolicyMapping": { + "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json", + "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxDENY-PublicEndpointsPolicySetDefinition.json" + }, + "azPublicEndpointArmTemplate": "[variables('azPublicEndpointsPolicyMapping')[environment().resourceManager]]", + "azPolicyPoliciesMapping": { + "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/policies.json", + "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxPolicies.json" + }, + "azPolicyArmTemplate": "[variables('azPolicyPoliciesMapping')[environment().resourceManager]]", + "deploymentUris": { + "managementGroups": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", + "policyIdentity": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/policyIdentity.json')]", + "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", + "policyDefinitions": "[uri(deployment().properties.templateLink.uri, variables('azPolicyArmTemplate'))]", + "compliantApiMPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json')]", + "compliantApimPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json')]", + "compliantAppServicePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json')]", + "compliantAppServicePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json')]", + "compliantAutomationPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json')]", + "compliantAutomationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json')]", + "compliantBackupPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json')]", + "compliantComputePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json')]", + "compliantContainerAppsPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json')]", + "compliantContainerInstancePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json')]", + "compliantContainerRegistryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json')]", + "compliantCosmosDbPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json')]", + "compliantDataExplorerPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json')]", + "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", + "compliantEventGridPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json')]", + "compliantEventHubPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json')]", + "compliantKeyVaultPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json')]", + "compliantKeyVaultPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json')]", + "compliantKubernetesPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json')]", + "compliantMachineLearningPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json')]", + "compliantOpenAiPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json')]", + "compliantServiceBusPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json')]", + "compliantSQLPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json')]", + "compliantStoragePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json')]", + "compliantSynapsePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json')]", + "dataPolicyDefinitions": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/dataPolicies.json')]", + "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/hubspoke-connectivity.json')]", + "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vwan-connectivity.json')]", + "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/nvahubspoke-connectivity.json')]", + "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]", + "monitoring": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logAnalyticsWorkspace.json')]", + "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/resourceGroup.json')]", + "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'core/resourceGroupTemplates/ddosProtection.json')]", + "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", + "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logAnalyticsSolutions.json')]", + "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", + "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", + "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", + "ascConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json')]", + "defenderEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json')]", + "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", + "azPolicyForKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", + "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", + "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", + "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", + "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", + "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", + "publicEndpointPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPublicEndpointArmTemplate'))]", + "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", + "privateDnsZonePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, variables('azPrivateDnsArmTemplate'))]", + "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json')]", + "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", + "rdpFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json')]", + "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", + "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", + "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", + "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", + "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", + "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vnetPeering.json')]", + "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vnetPeeringVwan.json')]", + "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'core/resourceGroupTemplates/privateDnsZones.json')]", + "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/roleAssignments/roleAssignment.json')]", + "databricksSku": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json')]", + "databricksPip": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json')]", + "databricksCluster": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-DatabricksClusterPolicyAssignment.json')]", + "govAscPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/gov/fairfaxDINE-ASCConfigPolicyAssignment.json')]", + "logStorageAccount": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logStorageAccount.json')]", + "nwDeployment": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/networkWatcher.json')]", + "nsgFlowLogPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-NSGFlowLogsPolicyAssignment.json')]", + "nsgFlowLogPolicyExemption": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyExemptions/EXEMPT-NSGFlowLogStAcc.json')]", + "sshFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-SSHFromInternetPolicyAssignment.json')]", + "denyVnetPeeringPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-VNetPeeringPolicyAssignment.json')]", + "budgetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DINE-BudgetPolicyAssignment.json')]", + "appGwWithoutWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutWAFPolicyAssignment.json')]", + "appGwWithouthFwPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-AppGwWithoutFwRulesPolicyAssignment.json')]", + "wafWithoutFdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-WafWithoutFrontDoorEntryPointPolicyAssignment.json')]", + "fdWithoutWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-FdWithoutManagedWafPolicyAssignment.json')]", + "openAiLocalAuthPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithLocalAuthPolicyAssignment.json')]", + "openAiMiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-OpenAiWithoutMiPolicyAssignment.json')]", + // Telco industry + "erHaPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'telco/managementGroupTemplates/policyAssignments/DENY-non-ha-expressRoutes-policyAssignment.json')]", + "pipHaPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'telco/managementGroupTemplates/policyAssignments/DENY-non-ha-publicIps-policyAssignment.json')]" + }, + // Declaring deterministic deployment names + "deploymentSuffix": "[concat('-', deployment().location, guid(parameters('industryPrefix')))]", + "deploymentNames": { + "mgmtGroupDeploymentName": "[take(concat(parameters('industry'), '-Mgs', variables('deploymentSuffix')), 64)]", + "compliantApimDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceDeploymentName": "[take(concat(parameters('industry'), 'Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantAutomationDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Automation', variables('deploymentSuffix')), 64)]", + "compliantBackupDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantComputeDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbDeploymentName": "[take(concat(parameters('industry'), 'Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerDeploymentName": "[take(concat(parameters('industry'), 'Compliant-DataExplorer', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryDeploymentName": "[take(concat(parameters('industry'), 'Compliant-DataFactory', variables('deploymentSuffix')), 64)]", + "compliantEventGridDeploymentName": "[take(concat(parameters('industry'), 'Compliant-EventGrid', variables('deploymentSuffix')), 64)]", + "compliantEventHubDeploymentName": "[take(concat(parameters('industry'), 'Compliant-EventHub', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultDeploymentName": "[take(concat(parameters('industry'), 'Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantKubernetesDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), 'Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), 'Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", + "compliantSqlDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Sql', variables('deploymentSuffix')), 64)]", + "compliantStorageDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Storage', variables('deploymentSuffix')), 64)]", + "compliantSynapseDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "mgmtSubscriptionPlacement": "[take(concat(parameters('industry'), '-MgmtSub', variables('deploymentSuffix')), 64)]", + "policyIdentityDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentity', variables('deploymentSuffix')), 64)]", + "policyIdentityRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityRoleAssignment', variables('deploymentSuffix')), 64)]", + "databricksSkuDeploymentName": "[take(concat(parameters('industry'), '-DBSku', variables('deploymentSuffix')), 64)]", + "databricksPipDeploymentName": "[take(concat(parameters('industry'), '-DBPip', variables('deploymentSuffix')), 64)]", + "databricksClusterDeploymentName": "[take(concat(parameters('industry'), '-DBCluster', variables('deploymentSuffix')), 64)]", + "corpPeeringDeploymentName": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 60)]", + "connectivitySubscriptionPlacement": "[take(concat(parameters('industry'), '-ConnectivitySub', variables('deploymentSuffix')), 64)]", + "identitySubscriptionPlacement": "[take(concat(parameters('industry'), '-IdentitySub', variables('deploymentSuffix')), 64)]", + "policyDeploymentName": "[take(concat(parameters('industry'), '-Policy', variables('deploymentSuffix')), 64)]", + "dataPolicyDeploymentName": "[take(concat(parameters('industry'),'-Data-Policy', variables('deploymentSuffix')), 64)]", + "ddosRgDeploymentName": "[take(concat(parameters('industry'), '-DDoSRg', variables('deploymentSuffix')), 64)]", + "ddosDeploymentName": "[take(concat(parameters('industry'), '-DDoS', variables('deploymentSuffix')), 64)]", + "ddosHubPolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", + "cmkPolicyDeploymentName": "[take(concat(parameters('industry'), '-CMKPolicy', variables('deploymentSuffix')), 64)]", + "cmkPolicyAssignmentDeploymentName": "[take(concat(parameters('industry'), '-CMKPolicyAssignment', variables('deploymentSuffix')), 64)]", + "ddosLzPolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", + "monitoringDeploymentName": "[take(concat(parameters('industry'), '-Monitoring', variables('deploymentSuffix')), 64)]", + "logAnalyticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-LAPolicy', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsDeploymentName": "[take(concat(parameters('industry'), '-Solutions', variables('deploymentSuffix')), 64)]", + "asbPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASB', variables('deploymentSuffix')), 64)]", + "resourceDiagnosticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", + "activityDiagnosticsPolicyDeploymentName": "[take(concat(parameters('industry'), '-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", + "ascPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASC', variables('deploymentSuffix')), 64)]", + "ascGovPolicyDeploymentName": "[take(concat(parameters('industry'), '-Gov-ASC', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-HubSpoke', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-VWanHub', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-NVAHub', variables('deploymentSuffix')), 64)]", + "azVmMonitorPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzVmMonitor', variables('deploymentSuffix')), 64)]", + "defenderEndpointPolicyDeploymentName": "[take(concat(parameters('industry'), '-DefenderEndpoint', variables('deploymentSuffix')), 64)]", + "azVmssMonitorPolicyDeploymentName": "[take(concat(parameters('industry'),'-AzVmssMonitor', variables('deploymentSuffix')), 64)]", + "azBackupLzPolicyDeploymentName": "[take(concat(parameters('industry'),'-AzBackupLz', variables('deploymentSuffix')), 64)]", + "azBackupIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "azPolicyForAksPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPolicy', variables('deploymentSuffix')), 64)]", + "aksPrivEscalationPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPrivEsc', variables('deploymentSuffix')), 64)]", + "aksHttpsPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksHttps', variables('deploymentSuffix')), 64)]", + "aksPrivilegedPolicyDeploymentName": "[take(concat(parameters('industry'), '-AksPrivileged', variables('deploymentSuffix')), 64)]", + "tlsSslPolicyDeploymentName": "[take(concat(parameters('industry'), '-TLSSSL', variables('deploymentSuffix')), 64)]", + "ipFwPolicyDeploymentName": "[take(concat(parameters('industry'), '-IPFwd', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDeploymentName": "[take(concat(parameters('industry'), '-PEndpoint', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDefinitionName": "[take(concat(parameters('industry'), '-Policy-PEndpoints', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDefinitionName": "[take(concat(parameters('industry'), '-Policy-PrivateDns', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", + "pipPolicyDeploymentName": "[take(concat(parameters('industry'), '-PIP', variables('deploymentSuffix')), 64)]", + "rdpFromInternetPolicyDeploymentName": "[take(concat(parameters('industry'), '-RDP', variables('deploymentSuffix')), 64)]", + "sshFromInternetPolicyDeploymentName": "[take(concat(parameters('industry'), '-SSH', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-RDPIdentity', variables('deploymentSuffix')), 64)]", + "storageHttpsPolicyDeploymentName": "[take(concat(parameters('industry'), '-StorageHttps', variables('deploymentSuffix')), 64)]", + "subnetNsgPolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsg', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityPolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "playgroundSubs": "[take(concat(parameters('industry'), '-Playground', variables('deploymentSuffix')), 60)]", + "onlineLzSubs": "[take(concat(parameters('industry'), '-OnlineLzs', variables('deploymentSuffix')), 60)]", + "corpLzSubs": "[take(concat(parameters('industry'), '-CorpLzs', variables('deploymentSuffix')), 60)]", + "corpConnectedMoveLzSubs": "[take(concat(parameters('industry'), '-CorpConnLzs', variables('deploymentSuffix')), 50)]", + "corpConnectedLzSubs": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 50)]", + "privateDnsZoneRgDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSRG', variables('deploymentSuffix')), 64)]", + "privateDnsZonesDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSZones', variables('deploymentSuffix')), 35)]", + "dnsZoneRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-DNSZoneRole', variables('deploymentSuffix')), 64)]", + "dnsZoneOperatorRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-DNSZoneOperatorRole', variables('deploymentSuffix')), 64)]", + "nsgFLowLogRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-NSGFlowRole', variables('deploymentSuffix')), 64)]", + "identityPeeringDeploymentName": "[take(concat(parameters('industry'), '-IDPeering', variables('deploymentSuffix')), 64)]", + "identityVwanPeeringDeploymentName": "[take(concat(parameters('industry'), '-IDVwanPeering', variables('deploymentSuffix')), 64)]", + "corpConnectedLzVwanSubs": "[take(concat(parameters('industry'), '-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", + "logStorageDeploymentName": "[take(concat(parameters('industry'), '-LogStorage', variables('deploymentSuffix')), 64)]", + "nwDeploymentName": "[take(concat(parameters('industry'), '-NwPlatform', variables('deploymentSuffix')), 64)]", + "nwRgLzPolicyAssignment": "[take(concat(parameters('industry'), '-NwRgLz', variables('deploymentSuffix')), 64)]", + "nsgFlowLogsPlatformPolicyAssignment": "[take(concat(parameters('industry'), '-NSGFlowPlatform', variables('deploymentSuffix')), 64)]", + "nsgFLowLogsLzPolicyAssignment": "[take(concat(parameters('industry'), '-NSGFlowLz', variables('deploymentSuffix')), 64)]", + "nsgFlowLogPolicyExemption": "[take(concat(parameters('industry'), '-NSGExempt', variables('deploymentSuffix')), 64)]", + "denyVnetPeeringDeploymentName": "[take(concat(parameters('industry'), '-VNetPeering', variables('deploymentSuffix')), 64)]", + "budgetDeploymentName": "[take(concat(parameters('industry'), '-Budget', variables('deploymentSuffix')), 64)]", + // Compliant Azure Service Policy Assignment deployment names + "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Automation-Account', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", + // Telco specific policies assignment deployments + "erHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaEr', variables('deploymentSuffix')), 64)]", + "pipHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaPip', variables('deploymentSuffix')), 64)]", + "privateDnsOperatorPolicyDeploymentName": "[take(concat(parameters('industry'), '-PrivateDNSOperator',variables('deploymentSuffix')), 64)]" + }, + "esLiteDeploymentNames": { + "mgmtGroupLiteDeploymentName": "[take(concat(parameters('industry'), '-MgsLite', variables('deploymentSuffix')), 64)]", + "policyIdentityLiteDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityLite', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-RDPIdentity', variables('deploymentSuffix')), 64)]", + "azBackupIdentityLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "monitoringLiteDeploymentName": "[take(concat(parameters('industry'), '-MonitoringLite', variables('deploymentSuffix')), 64)]", + "logAnalyticsLitePolicyDeploymentName": "[take(concat(parameters('industry'),'-LAPolicyLite', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsLiteDeploymentName": "[take(concat(parameters('industry'), '-SolutionsLite', variables('deploymentSuffix')), 64)]", + "platformLiteSubscriptionPlacement": "[take(concat(parameters('industry'), '-PlatformSubLite', variables('deploymentSuffix')), 64)]", + "logLiteStorageDeploymentName": "[take(concat(parameters('industry'), '-LogStorageLite', deployment().location, '-', deployment().name), 64)]", + "vnetConnectivityHubLiteDeploymentName": "[take(concat(parameters('industry'), '-VnetHubLite', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubLiteDeploymentName": "[take(concat(parameters('industry'), '-VWanHubLite', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubLiteDeploymentName": "[take(concat(parameters('industry'), '-NVAHubLite', variables('deploymentSuffix')), 64)]", + "ddosRgLiteDeploymentName": "[take(concat(parameters('industry'), '-DDoSRgLite', variables('deploymentSuffix')), 64)]", + "ddosLiteDeploymentName": "[take(concat(parameters('industry'), '-DDoSLite', variables('deploymentSuffix')), 64)]", + "ddosHubLitePolicyDeploymentName": "[take(concat(parameters('industry'), '-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", + "privateDnsZoneRgLiteDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", + "privateDnsZonesLiteDeploymentName": "[take(concat(parameters('industry'), '-PrivDNSLite', variables('deploymentSuffix')), 35)]", + "nwLiteDeploymentName": "[take(concat(parameters('industry'), '-NwPlatform', deployment().location, '-', deployment().name), 64)]" + + }, + // Declaring deterministic names for Resource Groups that will be created for platform resources + "platformRgNames": { + "mgmtRg": "[concat(parameters('industryPrefix'), '-mgmt')]", + "userAssignedIdentity": "[concat(parameters('industryPrefix'), '-policy-identity')]", + "connectivityRg": "[concat(parameters('industryPrefix'), '-vnethub-', parameters('location'))]", + "ddosRg": "[concat(parameters('industryPrefix'), '-ddos')]", + "privateDnsRg": "[concat(parameters('industryPrefix'), '-privatedns')]", + "identityVnetRg": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]", + "lzVnetRg": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]", + "logNwRg": "[concat(parameters('industryPrefix'), '-nwlog-', parameters('location'))]" + }, + // Declaring deterministic names for platform resources that will be created + "platformResourceNames": { + "logAnalyticsWorkspace": "[concat(parameters('industryPrefix'), '-law')]", + "userAssignedIdentityName": "[concat(parameters('industryPrefix'), '-policy-identity')]", + "logNwStorageAccount": "[toLower(take(concat(parameters('industryPrefix'), parameters('location'), uniqueString(deployment().name)), 23))]", + "automationAccount": "[concat(parameters('industryPrefix'), '-aauto')]", + "vpnGwName": "[concat(parameters('industryPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('industryPrefix'), '-ergw-', parameters('location'))]", + "ddosName": "[concat(parameters('industryPrefix'), '-ddos-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('industryPrefix'), '-azfwpolicy-', parameters('location'))]", + "azFwName": "[concat(parameters('industryPrefix'), '-fw-', parameters('location'))]", + "azErGwIpName": "[concat(parameters('industryPrefix'), '-erpip-', parameters('location'))]", + "hubName": "[concat(parameters('industryPrefix'), '-hub-', parameters('location'))]", + "vwanName": "[concat(parameters('industryPrefix'), '-vwan-', parameters('location'))]", + "azVpnGwIpName": "[concat(parameters('industryPrefix'), '-gwpip-', parameters('location'))]", + "azFwIpName": "[concat(parameters('industryPrefix'), '-fwpip-', parameters('location'))]", + "identityVnet": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]", + "lzVnet": "[concat(parameters('industryPrefix'), '-vnet-', parameters('location'))]" + }, + // Declaring deterministic resourceId's for platform resources that will be created + "singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]", + "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]", + "singleVsDedicatedIdentitySub": "[if(empty(parameters('identitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('identitySubscriptionId'))]", + "platformResourceIds": { + "userAssignedIdentityResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').userAssignedIdentity, '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('platformResourceNames').userAssignedIdentityName)]", + "logStorageResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').logNwRg, '/providers/Microsoft.Storage/storageAccounts/', variables('platformResourceNames').logNwStorageAccount)]", + "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]", + "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", + "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]", + "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]", + "vWanHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubName)]", + "privateDnsRgResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').privateDnsRg)]", + "azFirewallResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwName)]" + }, + // Declaring deterministic resourceId's for ES Lite platform resources (as they will be consolidated into a single platform subscription) + "deterministicRoleAssignmentGuids": { + "ddosForConnectivity": "[take(guid(concat(parameters('industryPrefix'), 'ddos')), 10)]", + "backupForIdentity": "[take(guid(concat(parameters('industryPrefix'), 'idbackup')), 10)]" + }, + "privateDnsZones": [ + "privatelink.azure-automation.net", + "privatelink.database.windows.net", + "privatelink.sql.azuresynapse.net", + "privatelink.blob.core.windows.net", + "privatelink.table.core.windows.net", + "privatelink.queue.core.windows.net", + "privatelink.file.core.windows.net", + "privatelink.web.core.windows.net", + "privatelink.dfs.core.windows.net", + "privatelink.documents.azure.com", + "privatelink.mongo.cosmos.azure.com", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.postgres.database.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.mariadb.database.azure.com", + "privatelink.vaultcore.azure.net", + "[concat('privatelink.', parameters('location'), '.azmk8s.io')]", + "privatelink.search.windows.net", + "privatelink.azurecr.io", + "privatelink.azconfig.io", + "[concat('privatelink.', parameters('location'), '.backup.windowsazure.com')]", + "privatelink.siterecovery.windowsazure.com", + "privatelink.servicebus.windows.net", + "privatelink.azure-devices.net", + "privatelink.eventgrid.azure.net", + "privatelink.azurewebsites.net", + "privatelink.api.azureml.ms", + "privatelink.notebooks.azure.net", + "privatelink.service.signalr.net", + "privatelink.cognitiveservices.azure.com", + "[concat(parameters('location'), '.privatelink.afs.azure.net')]", + "privatelink.datafactory.azure.com", + "privatelink.adf.azure.com", + "privatelink.redis.cache.windows.net", + "privatelink.dev.azuresynapse.net", + "privatelink.azuresynapse.net", + "privatelink.table.cosmos.azure.com", + "privatelink.batch.azure.com", + "privatelink.managedhsm.azure.net", + "[concat(parameters('location'), '.privatelink.azurecr.io')]", + "privatelink.azure-devices-provisioning.net", + "scm.privatelink.azurewebsites.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.digitaltwins.azure.net", + "privatelink.azurehdinsight.net", + "privatelink.his.arc.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.media.azure.net", + "[concat('privatelink.', parameters('location'), '.kusto.windows.net')]", + "privatelink.azurestaticapps.net", + "privatelink.prod.migration.windowsazure.com", + "privatelink.azure-api.net", + "privatelink.developer.azure-api.net", + "privatelink.analysis.windows.net", + "privatelink.pbidedicated.windows.net", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.directline.botframework.com", + "privatelink.token.botframework.com", + "workspace.privatelink.azurehealthcareapis.com", + "fhir.privatelink.azurehealthcareapis.com", + "dicom.privatelink.azurehealthcareapis.com" + ], + "baseId": "[concat(variables('platformResourceIds').privateDnsRgResourceId, '/providers/Microsoft.Network/privateDnsZones/')]", + "privateDnsPolicyParameterMapping": { + "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", + "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", + "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]", + "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]", + "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.io')]", + "azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.siterecovery.windowsazure.com')]", + "azureIotPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices-provisioning.net')]", + "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.net')]", + "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.net')]", + "azureAppServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurewebsites.net')]", + "azureEventGridTopicsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", + "azureDiskAccessPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureCognitiveServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cognitiveservices.azure.com')]", + "azureIotHubsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]", + "azureEventGridDomainsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", + "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.windows.net')]", + "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", + "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", + "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", + "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", + "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]" + }, + "roleDefinitions": { + "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7", + "contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c" + } + }, + "resources": [ + /* + The following deployment will create the management group structure and ensure the sustainable, scalable architecture + */ + { + // Creating the management group structure + "condition": "[empty(parameters('singlePlatformSubscriptionId'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').mgmtGroupDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroups]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + /* + The following deployments will deploy the required proactive and preventive Azure policies for policy driven governance + */ + { + // Deploying custom policies. Note: all policies will eventually be moved to built-in policies and codebase will be reduced + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant APIM PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantApimDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantApiMPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant App Service PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantAppServiceDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAppServicePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Automation PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantAutomationDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAutomationPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Backup PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantBackupDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantBackupPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Compute PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantComputeDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantComputePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Container Apps PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantContainerAppsDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerAppsPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Container Instance PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantContainerInstanceDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerInstancePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Container Registry PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantContainerRegistryDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerRegistryPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Cosmos Db PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantCosmosDbDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCosmosDbPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Data Explorer PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantDataExplorerDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataExplorerPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Data Factory PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantDataFactoryDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataFactoryPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Event Grid PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantEventGridDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventGridPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Event Hub PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantEventHubDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventHubPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Key Vault PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantKeyVaultDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKeyVaultPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Kubernetes PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantKubernetesDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKubernetesPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Machine Learning PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantMachineLearningDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantMachineLearningPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Open Ai PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantOpenAiDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantOpenAIPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Service Bus PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantServiceBusDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantServiceBusPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant SQL PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantSqlDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSqlPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Storage PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantStorageDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantStoragePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying Compliant Synapse PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantSynapseDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSynapsePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // Deploying custom data policies + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').dataPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataPolicyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('Hydrating-Compliance-Step-', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[variables('deploymentNames').policyDeploymentName]" + ], + "copy": { + "batchSize": 1, + "count": 10, + "mode": "Serial", + "name": "policyCompletion" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } + }, + /* + The following deployments will organize the dedicated platform subscriptions into their respective management groups + */ + { + // Placing management subscription into dedicated management group + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').managementManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').management]" + }, + "subscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Placing connectivity subscription into dedicated management group + "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, + { + // Placing identity subscription into dedicated management group + "condition": "[not(empty(parameters('identitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').identityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').identity]" + }, + "subscriptionId": { + "value": "[parameters('identitySubscriptionId')]" + } + } + } + }, + /* + The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones + */ + { + // Deploying Log Analytics workspace to management subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + } + } + } + }, + { + // Deploying User Assigned identity for Policy enforcement + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').policyIdentityDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyIdentity]" + }, + "parameters": { + "resourceGroupName": { + "value": "[variables('platformRgNames').userAssignedIdentity]" + }, + "managedIdentityName": { + "value": "[variables('platformResourceNames').userAssignedIdentityName]" + }, + "location": { + "value": "[deployment().location]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Assigning RBAC for User Assigned identity for Azure Policy enforcement + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "dependsOn": [ + "[variables('deploymentNames').policyIdentityDeploymentName]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').roleAssignments]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "principalId": { + "value": "[reference(variables('deploymentNames').policyIdentityDeploymentName).outputs.identityObjectId.value]" + }, + "roleDefinitionId": { + "value": "[variables('roleDefinitions').contributor]" + } + } + } + }, + { + // Deploying Log Analytics solutions to Log Analytics workspace if condition is true + "condition": "[and(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + }, + "enableAgentHealth": { + "value": "[parameters('enableAgentHealth')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableActivityLog": { + "value": "[parameters('enableActivityLog')]" + }, + "enableVmInsights": { + "value": "[parameters('enableVmInsights')]" + }, + "enableServiceMap": { + "value": "[parameters('enableServiceMap')]" + }, + "enableSqlAssessment": { + "value": "[parameters('enableSqlAssessment')]" + } + } + } + }, + { + // Create storage account for NSG Flow Logs in the management subscription for networking observability + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logStorageDeploymentName]", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logStorageAccount]" + }, + "parameters": { + "mgmtStorageRgName": { + "value": "[variables('platformRgNames').logNwRg]" + }, + "storageAccountName": { + "value": "[variables('platformResourceNames').logNwStorageAccount]" + }, + "storageLocation": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + { + // Assigning Log Analytics workspace policy to management management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", + "scope": "[variables('scopes').managementManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Azure Security Benchmark policy to intermediate root management group if condition is true + "condition": "[equals(parameters('enableMcsbPolicy'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').asbPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').asbPolicyInitiative]" + }, + "parameters": {} + } + }, + { + // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceDiagnosticsInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').activityDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').activityDiagnosticsPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Microsoft Defender for Cloud configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ascConfigPolicyInitiative]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForCosmosDb": { + "value": "[parameters('enableAscForCosmosDb')]" + }, + "enableAscForSynapse": { + "value": "[parameters('enableAscForSynapse')]" + }, + "enableAscForCSPM": { + "value": "[parameters('enableAscForCSPM')]" + }, + "enableAscForAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForKeyVault": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "enableAscForSqlOnVm": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForDns": { + "value": "[parameters('enableAscForDns')]" + }, + "enableAscForOssDb": { + "value": "[parameters('enableAscForOssDb')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Assigning Defender Endpoint VMs policy initiative to intermediate root management group if condition is true + "condition": "[equals(parameters('enableDefenderEndpoint'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').defenderEndpointPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').defenderEndpointPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableDefenderEndpoint'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { + // Az Gov Only - Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.usgovcloudapi.net'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascGovPolicyDeploymentName]", + "scope": "[variables('scopes').industryRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').govAscPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForDns": { + "value": "[parameters('enableAscForDns')]" + } + } + } + }, + /* + The following optional deployment will configure virtual network hub into the connectivity subscription + */ + { + // Creating resource group for DDoS Standard Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(or(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosHubPolicyDeploymentName]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Creating the virtual network hub (hub and spoke) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vnetConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + }, + "enableAvnm": { + "value": "[parameters('enableAvnm')]" + } + } + } + }, + { + // Creating the virtual network hub (with NVA) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').nvaConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vwanConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + } + } + } + }, + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').privateDnsZoneRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Creating Private DNS Zones into the connectivity subscription + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').privateDnsZonesDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "copy": { + "name": "dnsZones", + "count": "[length(variables('privateDnsZones'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZones')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + } + } + } + }, + { // Creating Policy Assignment for NSG Flow Logs Policy on Platform scope + "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').nsgFlowLogsPlatformPolicyAssignment]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nwDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nsgFlowLogPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableNsgFlowLogs'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "storageId": { + "value": "[variables('platformResourceIds').logStorageResourceId]" + }, + "workspaceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "nsgRegion": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + }, + "networkWatcherName": { + "value": "[concat('NetworkWatcher_', parameters('location'))]" + }, + "networkWatcherRg": { + "value": "NetworkWatcherRG" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Exemption for storage accounts for NSG in management management group scope + "condition": "[and(equals(parameters('enableMcsbPolicy'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').nsgFlowLogPolicyExemption]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nwDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nsgFlowLogPolicyExemption]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + { // Creating Network Watcher on Connectivity subscription + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableNetworkWatcher'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[deployment().location]", + "name": "[variables('deploymentNames').nwDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nwDeployment]" + }, + "parameters": { + "location": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + /* + The following deployments will deploy and configure the Azure policy governance for the landing zones + */ + { // Creating Policy Assignment for NSG Flow Logs Policy on Landing zone scope + "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').nsgFlowLogsLzPolicyAssignment]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nwDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nsgFlowLogPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[concat(parameters('industryPrefix'), '-lz')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableNsgFlowLogs'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "storageId": { + "value": "[variables('platformResourceIds').logStorageResourceId]" + }, + "workspaceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "nsgRegion": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + }, + "networkWatcherName": { + "value": "[concat('NetworkWatcher_', parameters('location'))]" + }, + "networkWatcherRg": { + "value": "NetworkWatcherRG" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment API management to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Apim')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantApimAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantApimDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantApimPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "apimDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "apimLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment App Service to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'AppService')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantAppServiceAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantAppServiceDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAppServicePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "appServiceDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "appServiceLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "functionDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "functionLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "appServiceAppsPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "appServiceAppsPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAppServicesPrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Automation Account to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Automation')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantAutomationAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantAutomationDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantAutomationPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "aaPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "aaPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAutomationPrivateDnsZoneId, '')]" + }, + "aaDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "aaLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Key Vault to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'KeyVault')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantKeyVaultAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantKeyVaultDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKeyVaultPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "keyVaultPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "keyVaultPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" + }, + "keyVaultDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "keyVaultLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + /* + The following section will optionally configure the governance for the Identity management group for the platform + */ + { + // Assigning Azure Backup policy to identity management group if condition is true + "condition": "[and(equals(parameters('enableVmBackupForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azBackupIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').backupForIdentity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny Public Ip policy to identity management group if condition is true + "condition": "[and(equals(parameters('denyPipForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').pipPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').pipPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny subnet without nsg policy to identity management group if condition is true + "condition": "[and(equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').subnetNsgIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny rpd from internet on identity management group if condition is true + "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').rdpFromInternetIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vhub or nva contidion is true + "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('identitySubscriptionId'), variables('platformResourceNames').identityVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vwan contidion is true + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityVwanPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVwanPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('identitySubscriptionId'), variables('platformResourceNames').identityVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "vWanHubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + { + // Placing subscription(s) into playground management group + "condition": "[not(empty(parameters('playgroundSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').playgroundSubs, copyIndex())]", + "scope": "[variables('scopes').playgroundManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "playgroundSubs", + "count": "[length(parameters('playgroundSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').playground]" + }, + "subscriptionId": { + "value": "[concat(parameters('playgroundSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Assigning VNet peering policy to playground management group if condition is true + "condition": "[equals(parameters('denyVnetPeering'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').denyVnetPeeringDeploymentName]", + "scope": "[variables('scopes').playgroundManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').denyVnetPeeringPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning budget policy to playground management group if condition is true + "condition": "[and(not(empty(parameters('budgetAmount'))), equals(parameters('enableBudget'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').budgetDeploymentName]", + "scope": "[variables('scopes').playgroundManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').budgetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "budgetName": { + "value": "DefaultBudget" + }, + "amount": { + "value": "[parameters('budgetAmount')]" + } + } + } + }, + /* + The following deployments will place landing zone subscriptions into online/corp (connected, disconnected) + */ + { + // Placing subscription(s) into online landing zone management group + "condition": "[not(empty(parameters('onlineLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').onlineLzSubs, copyIndex())]", + "scope": "[variables('scopes').onlineManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "onlineLzs", + "count": "[length(parameters('onlineLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').online]" + }, + "subscriptionId": { + "value": "[concat(parameters('onlineLzSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Placing subscriptions into corp landing zone management group + "condition": "[not(empty(parameters('corpLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').corpLzSubs, copyIndex())]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "corpLzs", + "count": "[length(parameters('corpLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').corp]" + }, + "subscriptionId": { + "value": "[concat(parameters('corpLzSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Placing subscriptions into corp landing zone management group (and do subsequent peering) + "condition": "[not(empty(parameters('corpConnectedLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').corpConnectedMoveLzSubs, copyIndex())]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "corpConnectedMoveLzs", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').corp]" + }, + "subscriptionId": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs]" + } + } + } + }, + { + // Peering corp connected lz vnet to connectivity sub (when nva or vhub is selected) + "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]", + "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "corpConnectedPeering", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').lzVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '-', variables('platformResourceNames').lzVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + /*{ + // Peering corp connected lz vnet to connectivity sub (when vwan is selected) + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('corpConnectedLzSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deploymentNames').corpConnectedLzVwanSubs, copyIndex())]", + "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "corpConnectedVwanPeering", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]", + "batchSize": 1, + "mode": "Serial" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').lzVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '-', variables('platformResourceNames').lzVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + },*/ + /* + **FSI Lite Only!** + The following section represent optional deployments in case the user select to use a single dedicated subscription for platform resources. + This is not recommmended for production deployment, only for small enterprises, demo, POC, etc. + + The following deployment will create the management group structure for FSI Lite + */ + { + // Creating the FSI Lite management group structure + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroupsLite]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployments will organize the dedicated platform subscription into the dedicated management groups + */ + { + // Placing Platform subscription into dedicated management group + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').platform]" + }, + "subscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription + */ + { + // Deploy workspace to platform subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployments will deploy Log Analytics solutions to the platform subscription + */ + { + // Create storage account for NSG Flow Logs in the management subscription for networking observability + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').logLiteStorageDeploymentName]", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logStorageAccount]" + }, + "parameters": { + "mgmtStorageRgName": { + "value": "[variables('platformRgNames').logNwRg]" + }, + "storageAccountName": { + "value": "[variables('platformResourceNames').logNwStorageAccount]" + }, + "storageLocation": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + { + // Deploying Log Analytics solutions to Log Analytics workspace if condition is true + "condition": "[and(and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + }, + "enableAgentHealth": { + "value": "[parameters('enableAgentHealth')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableActivityLog": { + "value": "[parameters('enableActivityLog')]" + }, + "enableVmInsights": { + "value": "[parameters('enableVmInsights')]" + }, + "enableServiceMap": { + "value": "[parameters('enableServiceMap')]" + }, + "enableSqlAssessment": { + "value": "[parameters('enableSqlAssessment')]" + } + } + } + }, + /* + Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group + */ + { + // Assigning Log Analytics workspace policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').logAnalyticsLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for DDoS standard protection to platform subscription + */ + { + // Creating resource group for DDoS Standard Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy DDoS standard protection + */ + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosRgLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for Private DNS zones to platform subscription + */ + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy private DNS zones + */ + { + // Creating Private DNS Zones into the connectivity subscription + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLiteDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "copy": { + "name": "dnsZonesLite", + "count": "[length(variables('privateDnsZones'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZones')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + } + } + } + }, + /* + Note: Lite only: Create Network Watcher into the single platform subscription + */ + { // Creating Network Watcher on Connectivity subscription + "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[deployment().location]", + "name": "[variables('esLitedeploymentNames').nwLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').logStorageDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').logLiteStorageDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nwDeployment]" + }, + "parameters": { + "location": { + "value": "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + } + } + } + }, + /* + Note: ES Lite only: assign DDoS policy for landing zones + */ + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(and(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: deploys hub and spoke + */ + { + // Configuring and deploying the connectivity hub (hub and spoke) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + }, + "enableAvnm": { + "value": "[parameters('enableAvnm')]" + } + } + } + }, + /* + Note: ES Lite only: deploys virtual hub (NVA) + */ + { + // Configuring and deploying the connectivity hub (NVA) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + /* + Note: ES Lite only: deploys VWAN hub (Microsoft Managed) + */ + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + } + } + } + }, + /* + Note: ES Lite only: assigns policy for identity to enable Azure Backup + */ + { + // Assigning Azure Backup policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableVmBackupForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').azBackupIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').backupForIdentity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: assign policy for identity to deny subnet without NSG + */ + { + // Assigning deny subnet without nsg policy to identity management group if condition is true + "condition": "[and(equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').subnetNsgIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: assign policy to deny RDP from internet to platform MG + */ + { + // Assigning deny rpd from internet policy landing zones management group if condition is true + "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').rdpFromInternetIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + } + ], + "outputs": { + "deployment": { + "type": "string", + "value": "[concat(deployment().name, ' has successfully deployed.')]" + } + } +} \ No newline at end of file From a3753ccb21663dcc851b2182f4e0fcdce81c81cb Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 19 Feb 2023 17:57:15 +0100 Subject: [PATCH 14/56] optimizing dependency --- foundations/azure/referenceImplementations/industryArmV2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 49e305d8..0abd534e 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -1814,7 +1814,7 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" ], "properties": { "mode": "Incremental", From a39e47f5e3552ba86ac254154827b0068ecdd702 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 19 Feb 2023 21:06:35 +0100 Subject: [PATCH 15/56] adding policies --- .../mgmtGroupStructure/mgmtGroupsLite.json | 2 +- .../Compliant-BackupPolicyAssignment.json | 91 +++++++++++ .../DENY-RegionsPolicyAssignment.json | 49 ++++++ .../DENY-RgRegionsPolicyAssignment.json | 49 ++++++ ...mpliant-AutomationPolicySetDefinition.json | 2 +- .../Compliant-BackupPolicySetDefinition.json | 20 ++- .../Custom-RBACDefinitions.json | 8 +- .../referenceImplementations/fsiPortalV2.json | 30 ++-- .../industryArmV2.json | 145 +++++++++++++++++- 9 files changed, 367 insertions(+), 29 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json index aa56a63b..9e30c164 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json @@ -11,7 +11,7 @@ "landingZoneMgs": { "type": "array", "defaultValue": [ - "online", + "cloud-native", "corp" ], "metadata": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json new file mode 100644 index 00000000..5b69178c --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json @@ -0,0 +1,91 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "asrPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "asrPrivateDnsZone-Backup": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Blob": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Queue": { + "type": "string", + "defaultValue": "" + }, + "asrLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Backup')]" + }, + "policyAssignmentNames": { + "backup": "Compliant-Backup", + "description": "This policy initiative is a group of policies that ensures Backup is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Backup for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').backup]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantBackup]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "asrLogAnalyticsWorkspaceId": { + "value": "[parameters('asrLogAnalyticsWorkspaceId')]" + }, + "asrPrivateDnsZone": { + "value": "[parameters('asrPrivateDnsZone')]" + }, + "asrPrivateDnsZone-Backup": { + "value": "[parameters('asrPrivateDnsZone-Backup')]" + }, + "asrPrivateDnsZone-Blob": { + "value": "[parameters('asrPrivateDnsZone-Blob')]" + }, + "asrPrivateDnsZone-Queue": { + "value": "[parameters('asrPrivateDnsZone-Queue')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json new file mode 100644 index 00000000..1fa5a973 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [] + } + }, + "variables": { + "policyDefinitions": { + "azureRegions": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" + }, + "policyAssignmentNames": { + "regions": "Deny-Azure-Regions", + "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", + "displayName": "Azure Regions for Azure services that are allowed per FSI compliance" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').regions]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').azureRegions]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json new file mode 100644 index 00000000..aff027aa --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "listOfAllowedLocations": { + "type": "array", + "defaultValue": [] + } + }, + "variables": { + "policyDefinitions": { + "azureRegions": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988" + }, + "policyAssignmentNames": { + "regions": "Deny-Azure-Rg-Regions", + "description": "This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements.", + "displayName": "Azure Regions for Resource Groups that are allowed per FSI compliance" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').regions]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').azureRegions]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index 5d1c41d0..92677c5f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -163,7 +163,7 @@ }, "aaPrivateEndpointGroupId": { "type": "string", - "defaultValue": "" + "defaultValue": "DSCAndHybridWorker" }, "aaPublicNetworkAccess": { "type": "string", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json index 1cccdc4b..3378f605 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -251,7 +251,7 @@ "type": "string", "defaultValue": "Deny" }, - "asrPrivateDns": { + "asrPrivateDnsZone": { "type": "string", "defaultValue": "DeployIfNotExists" }, @@ -266,9 +266,25 @@ "asrPrivateDnsZone-Queue": { "type": "string", "defaultValue": "" + }, + "asrLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "policyDefinitionReferenceId": "Dine-Asr-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "logAnalytics": { + "value": "[[parameters('asrLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", "policyDefinitionReferenceId": "Dine-Asr-Private-Dns-Zone", @@ -277,7 +293,7 @@ ], "parameters": { "effect": { - "value": "[[parameters('asrPrivateDns')]" + "value": "[[parameters('asrPrivateDnsZone')]" }, "privateDnsZone-Backup": { "value": "[[parameters('asrPrivateDnsZone-Backup')]" diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json index 063183a7..2b022454 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json @@ -4,7 +4,7 @@ "parameters": { "topLevelManagementGroupPrefix": { "type": "string", - "defaultValue": "FSIDemo" + "defaultValue": "" } }, "variables": { @@ -12,7 +12,7 @@ "roleDefinitions": [ { "properties": { - "roleName": "LZ Subscription Owner", + "roleName": "[concat(parameters('toplevelManagementGroupPrefix'), '-LZ Subscription Owner')]", "description": "LZ Subscription Owner", "type": "customRole", "permissions": [ @@ -51,7 +51,7 @@ }, { "properties": { - "roleName": "Platform Contributors", + "roleName": "[concat(parameters('toplevelManagementGroupPrefix'), '-Platform Contributors')]", "description": "Custom Role that grants full access to manage all Platform resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries", "type": "customRole", "permissions": [ @@ -75,7 +75,7 @@ }, { "properties": { - "roleName": "NetOps", + "roleName": "[concat(parameters('toplevelManagementGroupPrefix'), '-NetOps')]", "description": "Platform-wide global connectivity management", "type": "customRole", "permissions": [ diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index d4a04199..3d48acf1 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -105,7 +105,7 @@ "visible": true } ], - "visible": true + "visible": false }, { "name": "esSingleSubSection", @@ -459,7 +459,7 @@ "type": "Microsoft.Common.TextBlock", "visible": true, "options": { - "text": "FSI Landing Zones enables a 'compliant and secure by-default' landing zones for your Azure services. Select the Azure services you want to have enforced as 'secure by-default' via Azure policy to satisfy regulatory requirements", + "text": "FSI Landing Zones enables a 'compliant and secure by-default' landing zones for your Azure services. Select the Azure services you want to have enforced as 'secure by-default' via Azure policy to satisfy regulatory requirements. The services you select are the only one that can be deployed to the landing zones, in the Azure regions you have enabled during this deployment.", "link": { "label": "Learn more about 'secure by-default' for FSI Landing Zones", "uri": "https://github.com/microsoft/industry/blob/main/fsi/docs/securityGovernanceAndCompliance.md#compliant-and-secure-by-default-fsi-landing-zones" @@ -535,47 +535,47 @@ }, { "label": "Cosmos DB", - "description": "Enforce secure by-default Cosmos DB within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Cosmos DB, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", "value": "CosmosDb" }, { "label": "Open AI", - "description": "Enforce secure by-default Open AI (Cognitive Services) within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Open AI, enforce access via private endpoints, centralized authorization, and centralized logging.", "value": "OpenAi" }, { "label": "Event Grid", - "description": "Enforce secure by-default Event Grid within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Event Grid, enforce access via private endpoints, centralized authorization, and centralized logging.", "value": "EventGrid" }, { "label": "Event Hub", - "description": "Enforce secure by-default Event Hub within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Event Hub, enforce access via private endpoints, centralized authorization, and centralized logging.", "value": "EventHub" }, { "label": "Databricks", - "description": "Enforce secure by-default Databricks within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Databricks by requiring premium SKU that enforce access via private endpoints, centralized authorization, and centralized logging.", "value": "Databricks" }, { "label": "Stream Analytics", - "description": "Enforce secure by-default Stream Analytics within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Stream Analytics, enforce access via private endpoints, centralized authorization, and centralized logging.", "value": "StreamAnalytics" }, { "label": "Networking", - "description": "Enforce secure by-default Networks within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Networking, such as enforcement of strong protocols, encryption, advanced threat protection, communication paths, and logging.", "value": "Networking" }, { "label": "Storage Account", - "description": "Enforce secure by-default Storage Account within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Storage Accounts, such as enforcement of strong protocols, encryption, access via private endpoint, centralized authorization using Azure AD, and centralized logging.", "value": "StorageAccounts" }, { "label": "Virtual Machine", - "description": "Enforce secure by-default Virtual Machines within the landing zone", + "description": "Azure policies will ensure secure by-default compliance for Virtual Machines, such as enforcement of strong protocols, encryption, access via private and secure networks, centralized authorization using Azure AD, and centralized security logging.", "value": "VMs" } ], @@ -2236,7 +2236,7 @@ "type": "Microsoft.Common.InfoBox", "visible": true, "options": { - "text": "FSI Landing Zones enables curated landing zones for workloads categorized as corp connected (e.g., connected to corporate network and enforcing private endpoints), online (e.g., workloads requiring public endpoints). You can optionally provide subscriptions for these first landing zones and assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.", + "text": "FSI Landing Zones enables secure by-default landing zones for workloads categorized as corp connected (e.g., connected to corporate network and enforcing private endpoints), cloud-native (e.g., workloads that can not communicate with the connectivity hub).", "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", "style": "Info" } @@ -2372,7 +2372,7 @@ { "name": "onlineLz", "type": "Microsoft.Common.Section", - "label": "Online landing zones", + "label": "Cloud-native landing zones", "visible": true, "elements": [ { @@ -2380,7 +2380,7 @@ "type": "Microsoft.Common.TextBlock", "visible": true, "options": { - "text": "Select the subscriptions you want to move to online management group.", + "text": "Select the subscriptions you want to move to the cloud-native management group.", "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" @@ -2398,7 +2398,7 @@ { "name": "esOnlineLzSub", "type": "Microsoft.Common.DropDown", - "label": "Online landing zone subscriptions (optional)", + "label": "Cloud-native landing zone subscriptions (optional)", "toolTip": "", "multiselect": true, "selectAll": true, diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 0abd534e..d7d804b3 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -521,7 +521,7 @@ "playground": "[concat(parameters('industryPrefix'), '-', 'playground')]", "lzs": "[concat(parameters('industryPrefix'), '-', 'landingzones')]", "corp": "[concat(parameters('industryPrefix'), '-', 'corp')]", - "online": "[concat(parameters('industryPrefix'), '-', 'online')]" + "online": "[concat(parameters('industryPrefix'), '-', 'cloud-native')]" }, // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc. "scopes": { @@ -553,6 +553,9 @@ "azPolicyArmTemplate": "[variables('azPolicyPoliciesMapping')[environment().resourceManager]]", "deploymentUris": { "managementGroups": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", + "allowedRegionsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json')]", + "allowedRgRegionsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/DENY-RgRegionsPolicyAssignment.json')]", + "customRbacRoleDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/roleDefinitions/Custom-RBACDefinitions.json')]", "policyIdentity": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/policyIdentity.json')]", "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, variables('azPolicyArmTemplate'))]", @@ -563,6 +566,7 @@ "compliantAutomationPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json')]", "compliantAutomationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json')]", "compliantBackupPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json')]", + "compliantBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json')]", "compliantComputePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json')]", "compliantContainerAppsPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json')]", "compliantContainerInstancePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json')]", @@ -643,6 +647,9 @@ "deploymentSuffix": "[concat('-', deployment().location, guid(parameters('industryPrefix')))]", "deploymentNames": { "mgmtGroupDeploymentName": "[take(concat(parameters('industry'), '-Mgs', variables('deploymentSuffix')), 64)]", + "customRbacDeploymentName": "[take(concat(parameters('industry'), '-RoleDefinitions', variables('deploymentSuffix')), 64)]", + "allowedRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-Regions', variables('deploymentSuffix')), 64)]", + "allowedRgRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-RG-Regions', variables('deploymentSuffix')), 64)]", "compliantApimDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Apim', variables('deploymentSuffix')), 64)]", "compliantAppServiceDeploymentName": "[take(concat(parameters('industry'), 'Compliant-AppService', variables('deploymentSuffix')), 64)]", "compliantAutomationDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Automation', variables('deploymentSuffix')), 64)]", @@ -736,10 +743,11 @@ "denyVnetPeeringDeploymentName": "[take(concat(parameters('industry'), '-VNetPeering', variables('deploymentSuffix')), 64)]", "budgetDeploymentName": "[take(concat(parameters('industry'), '-Budget', variables('deploymentSuffix')), 64)]", // Compliant Azure Service Policy Assignment deployment names - "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Automation-Account', variables('deploymentSuffix')), 64)]", - "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", - "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", - "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), 'Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", + "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", // Telco specific policies assignment deployments "erHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaEr', variables('deploymentSuffix')), 64)]", "pipHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaPip', variables('deploymentSuffix')), 64)]", @@ -887,6 +895,9 @@ "baseId": "[concat(variables('platformResourceIds').privateDnsRgResourceId, '/providers/Microsoft.Network/privateDnsZones/')]", "privateDnsPolicyParameterMapping": { "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", + "azureBackupPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.backup.windowsazure.com')]", + "azureBackupBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]", "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]", @@ -964,6 +975,30 @@ } } }, + { + // Deploying custom Role Definitions. Note: all roleDefinitions will eventually be moved to built-in policies and codebase will be reduced + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').customRbacDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').customRbacRoleDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, { // Deploying Compliant APIM PolicySetDefinition "type": "Microsoft.Resources/deployments", @@ -1504,7 +1539,7 @@ ], "copy": { "batchSize": 1, - "count": 10, + "count": 21, "mode": "Serial", "name": "policyCompletion" }, @@ -2599,6 +2634,59 @@ /* The following deployments will deploy and configure the Azure policy governance for the landing zones */ + { // Creating Policy Assignment for allowed Azure Regions on the Landing Zone management group + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').allowedRegionsDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').allowedRegionsPolicyAssignment]" + }, + "parameters": { + "listOfAllowedLocations": { + "value": [ + "Global", + "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + ] + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment for allowed Azure Regions for Rgs on the Landing Zone management group + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').allowedRgRegionsDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').allowedRgRegionsPolicyAssignment]" + }, + "parameters": { + "listOfAllowedLocations": { + "value": [ + "[if(empty(parameters('location')), deployment().location, parameters('location'))]" + ] + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, { // Creating Policy Assignment for NSG Flow Logs Policy on Landing zone scope "condition": "[and(equals(parameters('enableNetworkWatcher'), 'Yes'), equals(parameters('enableNsgFlowLogs'), 'Yes'))]", "type": "Microsoft.Resources/deployments", @@ -2781,6 +2869,51 @@ } } }, + { // Creating Policy Assignment Compliant Backup to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Backup')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantBackupAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantBackupDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantBackupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "asrPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "asrPrivateDnsZone-Backup": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone-Blob": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupBlobPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone-Queue": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupQueuePrivateDnsZoneId, '')]" + }, + "asrLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, { // Creating Policy Assignment Compliant Key Vault to Landing Zone scope "condition": "[contains(parameters('compliantAzureServices'), 'KeyVault')]", "type": "Microsoft.Resources/deployments", From 08a9e9820e9de7fea3474ea84a52e7a462372eb6 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 20 Feb 2023 11:09:32 +0100 Subject: [PATCH 16/56] dns update --- .../mgmtGroupStructure/mgmtGroups.json | 2 +- .../hubspoke-connectivity.json | 109 ++++++++++++++++-- .../referenceImplementations/fsiPortalV2.json | 93 ++++++++++++++- .../industryArmV2.json | 22 ++++ 4 files changed, 212 insertions(+), 14 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json index bbfee4fd..a0309be5 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json @@ -22,7 +22,7 @@ "landingZoneMgs": { "type": "array", "defaultValue": [ - "online", + "cloud-native", "corp" ], "metadata": { diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json index de97c5a3..255dc43c 100644 --- a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json @@ -158,6 +158,14 @@ "ddosPlanResourceId": { "type": "string", "defaultValue": "" + }, + "subnetMaskForDnsResolverInbound": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForDnsResolverOutbound": { + "type": "string", + "defaultValue": "" } }, "variables": { @@ -166,6 +174,9 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", + "dnsResolverName": "[concat(parameters('topLevelManagementGroupPrefix'), '-dnsresolver-', parameters('location'))]", + "dnsResolverInboundEndpointName": "[concat(variables('dnsResolverName'),'/', 'DefaultInboundEndpoint')]", + "dnsResolverOutboundEndpointName": "[concat(variables('dnsResolverName'), '/', 'DefaultOutboundEndpoint')]", "avnmName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnm-', parameters('location'))]", "avnmRgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-netmanager-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", @@ -178,8 +189,11 @@ "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "azFwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallSubnet')]", "azFwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwIpName'))]", + "hubId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/virtualNetworks/', variables('hubName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", "avnmDeploymentName": "[take(concat(deployment().name, '-avnetmanager', parameters('location')), 64)]", + "dnsResolverInboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/', first(variables('dnsResolverInboundSubnet')).name)]", + "dnsResolverOutboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/', first(variables('dnsResolverOutboundSubnet')).name)]", // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency "gwSubnet": [ { @@ -197,6 +211,22 @@ } } ], + "dnsResolverInboundSubnet": [ + { + "name": "DnsResolverInboundSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForDnsResolverInbound')]" + } + } + ], + "dnsResolverOutboundSubnet": [ + { + "name": "DnsResolverOutboundSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForDnsResolverOutbound')]" + } + } + ], "ddosProtectionPlanId": { "id": "[parameters('ddosPlanResourceId')]" }, @@ -214,7 +244,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "location": "[parameters('location')]", - "name": "[concat('fsi', '-connectivityHubSub', deployment().location)]", + "name": "[concat('afo', '-connectivityHubSub', deployment().location)]", "subscriptionId": "[parameters('connectivitySubscriptionId')]", "properties": { "mode": "Incremental", @@ -250,15 +280,14 @@ { "type": "Microsoft.Network/networkManagers", "name": "[variables('avnmName')]", - "apiVersion": "2022-07-01", + "apiVersion": "2021-02-01-preview", "location": "[parameters('location')]", "properties": { "displayName": "[concat(parameters('topLevelManagementGroupPrefix'), ' Network Manager')]", "description": "[concat('Virtual Network Manager to manage and deploy virtual networks for ', parameters('topLevelManagementGroupPrefix'))]", "networkManagerScopes": { "managementGroups": [ - "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-landingzones')]", - "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-connectivity')]" + "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-landingzones')]" ], "subscriptions": [], "networkManagerScopeAccesses": [ @@ -306,13 +335,21 @@ ] }, "subnets": "[ - union( - if( - not( - empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]')), - if( - not( - empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]')))]", + union( + if( + not(empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]') + ), + if( + not(empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]') + ), + if( + not(empty(parameters('subnetMaskForDnsResolverInbound'))), variables('dnsResolverInboundSubnet'), json('[]') + ), + if( + not(empty(parameters('subnetMaskForDnsResolverOutbound'))), variables('dnsResolverOutboundSubnet'), json('[]') + ) + ) + ]", "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" } @@ -497,6 +534,56 @@ ], "firewallPolicy": "[variables('azFirewallPolicyId')]" } + }, + { + "condition": "[not(equals(parameters('enableAzFwDnsProxy'), 'Yes'))]", + "apiVersion": "2022-07-01", + "type": "Microsoft.Network/dnsResolvers", + "name": "[variables('dnsResolverName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "virtualNetwork": { + "id": "[variables('hubId')]" + } + } + }, + { + "condition": "[not(equals(parameters('enableAzFwDnsProxy'), 'Yes'))]", + "apiVersion": "2022-07-01", + "type": "Microsoft.Network/dnsResolvers/inboundEndpoints", + "name": "[variables('dnsResolverInboundEndpointName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "privateIpAllocationMethod": "Static", + "subnet": { + "id": "[variables('dnsResolverInboundSubnetId')]" + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('enableAzFwDnsProxy'), 'Yes'))]", + "apiVersion": "2022-07-01", + "type": "Microsoft.Network/dnsResolvers/outboundEndpoints", + "name": "[variables('dnsResolverOutboundEndpointName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]" + ], + "properties": { + "subnet": { + "id": "[variables('dnsResolverOutboundSubnetId')]" + } + } } ] } diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 3d48acf1..5dd21c57 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -1138,6 +1138,92 @@ ] } }, + { + "name": "esPrivateDnsResolver", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Private DNS resolver", + "defaultValue": "Yes (Recommended)", + "visible": "[equals(steps('esConnectivityGoalState').esHub, 'vhub')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (Recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "subnetMaskPrivateDnsResolverInbound", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for DNS Resolver (inbound)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.3.0/24)", + "defaultValue": "10.100.2.0/24", + "visible": "[equals(steps('esConnectivityGoalState').esPrivateDnsResolver, 'Yes')]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-8]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,28]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "subnetMaskPrivateDnsResolverOutbound", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for DNS Resolver (outbound)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.3.0/24)", + "defaultValue": "10.100.3.0/24", + "visible": "[equals(steps('esConnectivityGoalState').esPrivateDnsResolver, 'Yes')]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-8]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,28]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressHubHS, '/')), last(split(steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, { "name": "esVpnGw", "type": "Microsoft.Common.OptionsGroup", @@ -1659,7 +1745,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Azure Firewall as a DNS proxy", "defaultValue": "No", - "visible": "[equals(steps('esConnectivityGoalState').esAzFw, 'Yes')]", + "visible": "[and(equals(steps('esConnectivityGoalState').esPrivateDnsResolver, 'No'), equals(steps('esConnectivityGoalState').esHub, 'vhub'))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", "constraints": { "allowedValues": [ @@ -1673,7 +1759,7 @@ } ] } - }, + }, { "name": "esAzFwSku", "type": "Microsoft.Common.DropDown", @@ -2489,6 +2575,9 @@ "enableNsgFlowLogs": "[steps('esConnectivityGoalState').nwSecurity.esNsgFlowLogs]", "enableAvnm": "[steps('esConnectivityGoalState').anmSection.anmOption]", "compliantAzureServices": "[steps('esGovState').secureSvc]", + "enablePrivateDnsResolver": "[steps('esConnectivityGoalState').esPrivateDnsResolver]", + "subnetMaskForDnsResolverInbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound]", + "subnetMaskForDnsResolverOutbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound]", "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.lzConnectedSubs,'')]" }, "kind": "Tenant", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index d7d804b3..5c5d1e8c 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -405,6 +405,22 @@ "type": "string", "defaultValue": "" }, + "enablePrivateDnsResolver": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "subnetMaskForDnsResolverInbound": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForDnsResolverOutbound": { + "type": "string", + "defaultValue": "" + }, "gwRegionalOrAz": { "type": "string", "defaultValue": "" @@ -2279,6 +2295,12 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "subnetMaskForDnsResolverInbound": { + "value": "[parameters('subnetMaskForDnsResolverInbound')]" + }, + "subnetMaskForDnsResolverOutbound": { + "value": "[parameters('subnetMaskForDnsResolverOutbound')]" + }, "firewallSku": { "value": "[parameters('firewallSku')]" }, From f2ad5aae106e537adb4d618b8d933bc61e76fe50 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 21 Feb 2023 06:23:43 -0500 Subject: [PATCH 17/56] Update hubspoke-connectivity.json --- .../hubspoke-connectivity.json | 86 ++++++++++++++++--- 1 file changed, 76 insertions(+), 10 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json index 255dc43c..7eaf4d4b 100644 --- a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json @@ -166,6 +166,10 @@ "subnetMaskForDnsResolverOutbound": { "type": "string", "defaultValue": "" + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "variables": { @@ -192,8 +196,8 @@ "hubId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/virtualNetworks/', variables('hubName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", "avnmDeploymentName": "[take(concat(deployment().name, '-avnetmanager', parameters('location')), 64)]", - "dnsResolverInboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/', first(variables('dnsResolverInboundSubnet')).name)]", - "dnsResolverOutboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/', first(variables('dnsResolverOutboundSubnet')).name)]", + "dnsResolverInboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/DnsResolverInboundSubnet')]", + "dnsResolverOutboundSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/DnsResolverOutboundSubnet')]", // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency "gwSubnet": [ { @@ -326,7 +330,7 @@ { "name": "[variables('hubName')]", "type": "Microsoft.Network/virtualNetworks", - "apiVersion": "2020-04-01", + "apiVersion": "2022-01-01", "location": "[parameters('location')]", "properties": { "addressSpace": { @@ -492,6 +496,36 @@ "publicIPAllocationMethod": "Static" } }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", "type": "Microsoft.Network/firewallPolicies", @@ -536,7 +570,37 @@ } }, { - "condition": "[not(equals(parameters('enableAzFwDnsProxy'), 'Yes'))]", + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/azureFirewalls/', variables('azFwName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[and(not(empty(parameters('subnetMaskForDnsResolverInbound'))), not(equals(parameters('enableAzFwDnsProxy'), 'Yes')))]", "apiVersion": "2022-07-01", "type": "Microsoft.Network/dnsResolvers", "name": "[variables('dnsResolverName')]", @@ -551,18 +615,19 @@ } }, { - "condition": "[not(equals(parameters('enableAzFwDnsProxy'), 'Yes'))]", + "condition": "[and(not(empty(parameters('subnetMaskForDnsResolverInbound'))), not(equals(parameters('enableAzFwDnsProxy'), 'Yes')))]", "apiVersion": "2022-07-01", "type": "Microsoft.Network/dnsResolvers/inboundEndpoints", "name": "[variables('dnsResolverInboundEndpointName')]", "location": "[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]" + "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { "ipConfigurations": [ { - "privateIpAllocationMethod": "Static", + "privateIpAllocationMethod": "Dynamic", "subnet": { "id": "[variables('dnsResolverInboundSubnetId')]" } @@ -571,13 +636,14 @@ } }, { - "condition": "[not(equals(parameters('enableAzFwDnsProxy'), 'Yes'))]", + "condition": "[and(not(empty(parameters('subnetMaskForDnsResolverOutbound'))), not(equals(parameters('enableAzFwDnsProxy'), 'Yes')))]", "apiVersion": "2022-07-01", "type": "Microsoft.Network/dnsResolvers/outboundEndpoints", "name": "[variables('dnsResolverOutboundEndpointName')]", "location": "[parameters('location')]", "dependsOn": [ - "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]" + "[concat('Microsoft.Network/dnsResolvers/', variables('dnsResolverName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { "subnet": { @@ -595,4 +661,4 @@ } ], "outputs": {} -} \ No newline at end of file +} From 3e21181743cff4751dd4657cd794890fad7c8831 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 21 Feb 2023 09:14:45 -0500 Subject: [PATCH 18/56] Update industryArmV2.json --- .../azure/referenceImplementations/industryArmV2.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 5c5d1e8c..472d6272 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -2301,6 +2301,9 @@ "subnetMaskForDnsResolverOutbound": { "value": "[parameters('subnetMaskForDnsResolverOutbound')]" }, + "logAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, "firewallSku": { "value": "[parameters('firewallSku')]" }, @@ -4276,4 +4279,4 @@ "value": "[concat(deployment().name, ' has successfully deployed.')]" } } -} \ No newline at end of file +} From c09a723b64f3700ca0b3494d03f895d9a1b4d3a8 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Thu, 23 Feb 2023 15:14:13 -0500 Subject: [PATCH 19/56] Update hubspoke-connectivity.json --- .../hubspoke-connectivity.json | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json index 7eaf4d4b..11c37c11 100644 --- a/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/hubspoke-connectivity.json @@ -358,6 +358,36 @@ "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" } }, + { + "condition": "[not(empty(parameters('logAnalyticsWorkspaceId')))]", + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('hubName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", @@ -371,6 +401,36 @@ "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azVpnGwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azVpnGwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", @@ -434,6 +494,36 @@ "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" } }, + { + "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azErGwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azErGwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", From c620c5886269d35cb83fb4fac202159e23e8b151 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 08:35:05 -0500 Subject: [PATCH 20/56] Update fsiPortalV2.json --- .../referenceImplementations/fsiPortalV2.json | 86 ++++++++++++++++++- 1 file changed, 83 insertions(+), 3 deletions(-) diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 5dd21c57..87225586 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -234,6 +234,85 @@ }, "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" }, + { + "name": "esEventHub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", + "defaultValue": "Yes", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esLogAnalytics,'Yes')]" + }, + { + "name": "esEventHubDataExports", + "type": "Microsoft.Common.DropDown", + "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", + "defaultValue": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", + "constraints": { + "allowedValues": [ + { + "label": "Security Alert", + "value": "SecurityAlert" + }, + { + "label": "Security Baseline", + "value": "SecurityBaseline" + }, + { + "label": "Security Baseline Summary", + "value": "SecurityBaselineSummary" + }, + { + "label": "Security Detection", + "value": "SecurityDetection" + }, + { + "label": "Security Event", + "value": "SecurityEvent" + }, + { + "label": "Security Incident", + "value": "SecurityIncident" + }, + { + "label": "Security IoT Raw Event", + "value": "SecurityIoTRawEvent" + }, + { + "label": "Security Nested Recommendation", + "value": "SecurityNestedRecommendation" + }, + { + "label": "Security Recommendation", + "value": "SecurityRecommendation" + }, + { + "label": "Sentinel Audit", + "value": "SentinelAudit" + }, + { + "label": "Sentinel Health", + "value": "SentinelHealth" + } + ] + }, + "visible": "[equals(steps('esGoalState').azMonSection.esEventHub,'Yes')]" + }, { "name": "monitoring", "type": "Microsoft.Common.TextBlock", @@ -409,7 +488,7 @@ "uri": "https://learn.microsoft.com/security/benchmark/azure/overview", "style": "Info" } - }, + }, { "name": "asbSection", "type": "Microsoft.Common.Section", @@ -1759,7 +1838,7 @@ } ] } - }, + }, { "name": "esAzFwSku", "type": "Microsoft.Common.DropDown", @@ -2550,6 +2629,7 @@ "enableActivityLog": "[steps('esGoalState').azMonSection.esActivityLog]", "enableVmInsights": "[steps('esGoalState').azMonSection.esVmInsights]", "enableServiceMap": "[steps('esGoalState').azMonSection.esServiceMap]", + "dataExports": "[steps('esGoalState').azMonSection.esEventHubDataExports]", "denyVnetPeering": "[steps('esPlayground').vnetPeeringPolicy]", "enableBudget": "[steps('esPlayground').budgetPolicy]", "budgetAmount": "[string(steps('esPlayground').budgetAmount)]", @@ -2584,4 +2664,4 @@ "location": "[steps('basics').resourceScope.location.name]" } } -} \ No newline at end of file +} From 048f7638326ee706688204683a87b6c752c09b23 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 08:37:42 -0500 Subject: [PATCH 21/56] Update industryArmV2.json --- .../referenceImplementations/industryArmV2.json | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 472d6272..71b82c0f 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -524,6 +524,13 @@ "metadata": { "description": "Select the Azure service(s) that should be secure by-default" } + }, + "dataExports": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Select the Log Analytics tables that should be exported to event hub." + } } }, "variables": { @@ -805,6 +812,7 @@ // Declaring deterministic names for platform resources that will be created "platformResourceNames": { "logAnalyticsWorkspace": "[concat(parameters('industryPrefix'), '-law')]", + "eventHubNamespace": "[concat(parameters('industryPrefix'), '-ehn-', parameters('location'))]", "userAssignedIdentityName": "[concat(parameters('industryPrefix'), '-policy-identity')]", "logNwStorageAccount": "[toLower(take(concat(parameters('industryPrefix'), parameters('location'), uniqueString(deployment().name)), 23))]", "automationAccount": "[concat(parameters('industryPrefix'), '-aauto')]", @@ -1699,6 +1707,12 @@ }, "enableChangeTracking": { "value": "[parameters('enableChangeTracking')]" + }, + "eventHubNamespaceName": { + "value": "[variables('platformResourceNames').eventHubNamespace]" + }, + "dataExports": { + "value": "[parameters('dataExports')]" } } } @@ -2080,9 +2094,6 @@ "uri": "[variables('deploymentUris').defenderEndpointPolicyAssignment]" }, "parameters": { - "topLevelManagementGroupPrefix": { - "value": "[parameters('industryPrefix')]" - }, "enforcementMode": { "value": "[if(equals(parameters('enableDefenderEndpoint'), 'Yes'), 'Default', 'DoNotEnforce')]" }, From ba79a04c7879f7fff630a901ab00a7f1b63ba5c8 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 13:40:32 +0000 Subject: [PATCH 22/56] adding EH for data export --- .../logAnalyticsWorkspace.json | 555 ++++++++++++++---- 1 file changed, 431 insertions(+), 124 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json index e0a95d90..d282f7f5 100644 --- a/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/logAnalyticsWorkspace.json @@ -1,151 +1,458 @@ { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { "rgName": { - "type": "String" + "type": "String" }, "workspaceName": { - "type": "String" + "type": "String", + "defaultValue": "" }, "workspaceRegion": { - "type": "String" + "type": "String", + "defaultValue": "[deployment().location]" }, "automationAccountName": { - "type": "String" + "type": "String", + "defaultValue": "" }, "automationRegion": { - "type": "String" + "type": "String", + "defaultValue": "[deployment().location]" }, "retentionInDays": { - "type": "String" + "type": "String", + "defaultValue": "30" }, "enableChangeTracking": { - "type": "string", - "allowedValues": [ - "No", - "Yes" - ], - "defaultValue": "No" + "type": "string", + "allowedValues": [ + "No", + "Yes" + ], + "defaultValue": "No" }, "enableUpdateMgmt": { - "type": "string", - "allowedValues": [ - "No", - "Yes" - ], - "defaultValue": "No" + "type": "string", + "allowedValues": [ + "No", + "Yes" + ], + "defaultValue": "No" + }, + "eventHubNamespaceName": { + "type": "string", + "defaultValue": "" + }, + "dataExports": { + "type": "array", + "defaultValue": [] } - }, - "variables": { - "fullDeploymentName": "fsi-loganalytics-waa", - "laDeploymentName": "fsi-loganalytics" - }, - "resources": [ + }, + "variables": { + "fullDeploymentName": "fsi-loganalytics-waa", + "laDeploymentName": "fsi-loganalytics" + }, + "resources": [ { - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2018-05-01", - "name": "[parameters('rgName')]", - "location": "[deployment().location]", - "properties": {} + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} }, { - "condition": "[or(equals(parameters('enableChangeTracking'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[variables('fullDeploymentName')]", - "resourceGroup": "[parameters('rgName')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "apiVersion": "2015-10-31", - "location": "[parameters('AutomationRegion')]", - "name": "[parameters('AutomationAccountName')]", - "type": "Microsoft.Automation/automationAccounts", - "properties": { - "sku": { - "name": "Basic" - } - } - }, - { - "apiVersion": "2020-08-01", - "location": "[parameters('workspaceRegion')]", - "name": "[parameters('workspaceName')]", - "type": "Microsoft.OperationalInsights/workspaces", - "properties": { - "sku": { - "name": "PerGB2018" - }, - "enableLogAccessUsingOnlyResourcePermissions": true, - "retentionInDays": "[int(parameters('retentionInDays'))]" - }, - "resources": [ - { - "name": "Automation", - "type": "linkedServices", - "apiVersion": "2020-08-01", - "dependsOn": [ - "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]", - "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" - ], - "properties": { - "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" - } - } - ] + "condition": "[or(equals(parameters('enableChangeTracking'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[variables('fullDeploymentName')]", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2015-10-31", + "location": "[parameters('AutomationRegion')]", + "name": "[parameters('AutomationAccountName')]", + "type": "Microsoft.Automation/automationAccounts", + "properties": { + "sku": { + "name": "Basic" + } + } + }, + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('automationAccountName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('automationRegion')]", + "dependsOn": [ + "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]", + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "apiVersion": "2020-08-01", + "location": "[parameters('workspaceRegion')]", + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "PerGB2018" + }, + "enableLogAccessUsingOnlyResourcePermissions": true, + "retentionInDays": "[int(parameters('retentionInDays'))]" + }, + "resources": [ + { + "name": "Automation", + "type": "linkedServices", + "apiVersion": "2020-08-01", + "dependsOn": [ + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]", + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" + } + } + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('workspaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('workspaceRegion')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('eventHubNamespaceName')]", + "location": "[deployment().location]", + "sku": { + "name": "Standard", + "tier": "Standard", + "capacity": 5 + }, + "properties": { + "minimumTlsVersion": "1.2", + "publicNetworkAccess": "Enabled", + "disableLocalAuth": true, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 5, + "kafkaEnabled": true + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[deployment().location]", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/authorizationrules", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/RootManageSharedAccessKey')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/networkRuleSets", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/default')]", + "location": "West Europe", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.OperationalInsights/workspaces/dataexports", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('workspaceName'), '/Exports')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "destination": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "metaData": {} + }, + "tableNames": "[parameters('dataExports')]", + "enable": true + } + } + ], + "outputs": {} } - ], - "outputs": { - } } - } }, { - "condition": "[and(not(equals(parameters('enableChangeTracking'), 'Yes')), not(equals(parameters('enableUpdateMgmt'), 'Yes')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[variables('laDeploymentName')]", - "resourceGroup": "[parameters('rgName')]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" - ], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "apiVersion": "2020-08-01", - "location": "[parameters('workspaceRegion')]", - "name": "[parameters('workspaceName')]", - "type": "Microsoft.OperationalInsights/workspaces", - "properties": { - "sku": { - "name": "PerGB2018" - }, - "enableLogAccessUsingOnlyResourcePermissions": true, - "retentionInDays": "[int(parameters('retentionInDays'))]" - } + "condition": "[and(not(equals(parameters('enableChangeTracking'), 'Yes')), not(equals(parameters('enableUpdateMgmt'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[variables('laDeploymentName')]", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2020-08-01", + "location": "[parameters('workspaceRegion')]", + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "PerGB2018" + }, + "enableLogAccessUsingOnlyResourcePermissions": true, + "retentionInDays": "[int(parameters('retentionInDays'))]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('workspaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('workspaceRegion')]", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-10-01-preview", + "name": "[parameters('eventHubNamespaceName')]", + "location": "[deployment().location]", + "sku": { + "name": "Standard", + "tier": "Standard", + "capacity": 5 + }, + "properties": { + "minimumTlsVersion": "1.2", + "publicNetworkAccess": "Enabled", + "disableLocalAuth": true, + "zoneRedundant": true, + "isAutoInflateEnabled": true, + "maximumThroughputUnits": 5, + "kafkaEnabled": true + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[deployment().location]", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/authorizationrules", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/RootManageSharedAccessKey')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "rights": [ + "Listen", + "Manage", + "Send" + ] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.EventHub/namespaces/networkRuleSets", + "apiVersion": "2022-10-01-preview", + "name": "[concat(parameters('eventHubNamespaceName'), '/default')]", + "location": "West Europe", + "dependsOn": [ + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "publicNetworkAccess": "Enabled", + "defaultAction": "Allow", + "virtualNetworkRules": [], + "ipRules": [] + } + }, + { + "condition": "[not(empty(parameters('dataExports')))]", + "type": "Microsoft.OperationalInsights/workspaces/dataexports", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('workspaceName'), '/Exports')]", + "location": "westeurope", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "[concat('Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]" + ], + "properties": { + "destination": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.EventHub/namespaces/', parameters('eventHubNamespaceName'))]", + "metaData": {} + }, + "tableNames": "[parameters('dataExports')]", + "enable": true + } + } + ], + "outputs": {} } - ], - "outputs": { - } } - } } - ], - "outputs": {} - } \ No newline at end of file + ], + "outputs": {} +} \ No newline at end of file From 9e256debd71002afc5459dbb6bd2b2dff97734e0 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 13:45:35 +0000 Subject: [PATCH 23/56] Compliant network policySet --- .../Compliant-NetworkPolicySetDefinition.json | 1349 +++++++++++++++++ 1 file changed, 1349 insertions(+) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json new file mode 100644 index 00000000..1dcfb8a1 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -0,0 +1,1349 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "Description": "This policy prevents creation of subnets without a UDR attached to them.", + "DisplayName": "Prevent subnets without Route Table", + "Metadata": { + "category": "Network", + "version": "1.0.0" + }, + "Mode": "All", + "Parameters": { + "effect": { + "type": "String", + "metadata": { + "description": "The effect of the policy", + "displayName": "Effect" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "PolicyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks/subnets", + "field": "type" + }, + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id" + }, + { + "field": "name", + "notIn": [ + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" + ] + } + ] + }, + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": [ + "AzureFirewallManagementSubnet" + ] + } + ] + } + }, + "notEquals": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Subnet-Without-UDR" + }, + { + "properties": { + "Description": "This policy prevents creation of subnets without an NSG attached to them.", + "DisplayName": "Prevent subnets without NSG", + "Metadata": { + "category": "Network", + "version": "1.0.0" + }, + "Mode": "All", + "Parameters": { + "effect": { + "type": "String", + "metadata": { + "description": "The effect of the policy", + "displayName": "Effect" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "PolicyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks/subnets", + "field": "type" + }, + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id" + }, + { + "field": "name", + "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastion" + ] + }, + { + "equals": 0, + "value": "[[length(field('Microsoft.Network/virtualNetworks/subnets/privateEndpoints[*]'))]" + } + ] + }, + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + }, + { + "equals": 0, + "value": "[[length(field('Microsoft.Network/virtualNetworks/subnets[*].privateEndpoints[*]'))]" + } + ] + } + }, + "notEquals": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Subnet-Without-NSG" + }, + { + "properties": { + "displayName": "Prevent NSG rule changes that allow all inbound traffic", + "description": "Prevent the creation of network security group rules that allow all inbound traffic", + "mode": "All", + "metadata": { + "category": "Network", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "in": [ + "*", + "Internet" + ] + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notIn": [ + "*", + "Internet" + ] + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Inbound-Internet-All" + }, + { + "properties": { + "mode": "All", + "displayname": "Deny or Audit service endpoints on subnets", + "policyType": "Custom", + "description": "This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.", + "metadata": { + "category": "Network", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]", + "where": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", + "exists": true + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Service-Endpoints" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-LoadBalancer" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-FrontDoor" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-TrafficManager" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-Vnet" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Network", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "displayName": "Enforce secure-by-default Network and Networking services for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure Network is using secure encryption", + "description": "Policy to ensure API Network is using secure protocols" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Network is not accessible over the public internet", + "description": "Policy to ensure Network is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for API Network", + "description": "Policy to ensure Network is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Networking services are logging all events to Log Analytics", + "description": "Policy to ensure Networking services are logging all events to Log Analytics workspace" + } + ], + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny" + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny" + }, + "denyInboundInternet": { + "type": "string", + "defaultValue": "Deny" + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny" + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny" + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "nsgDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "nsgLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny" + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny" + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny" + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "lbDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "fdDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "tmDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "vnetDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "policyDefinitionReferenceId": "Deny-Waf-mode", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98a2e215-5382-489e-bd29-32e7190a39ba", + "policyDefinitionReferenceId": "Dine-Nsg-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('nsgDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('nsgLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-Subnet-Without-UDR", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]", + "policyDefinitionReferenceId": "Deny-Inbound-Internet-All", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('denyInboundInternet')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[3].name)]", + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "groupNames": [ + "Encryption", + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[4].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-LoadBalancer", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('lbDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('lbDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[5].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-FrontDoor", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('fdDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('fdDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[6].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-TrafficManager", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('tmDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('tmDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[7].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-Vnet", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('vnetDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('vnetDiagnosticsLogAnalyticsWorkspaceId')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file From e1b3181100560bd495917e1fa24f2a50e3389867 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 13:56:50 +0000 Subject: [PATCH 24/56] prevent ssh and rdp from internet to network --- .../Compliant-NetworkPolicySetDefinition.json | 260 ++++++++++++++++++ 1 file changed, 260 insertions(+) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 1dcfb8a1..080abe11 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -972,6 +972,234 @@ } }, "name": "Dine-Diagnostics-Vnet" + }, + { + "properties": { + "displayName": "RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-RDP-From-Internet" + }, + { + "properties": { + "displayName": "SSH access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows SSH access from Internet", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "22" + }, + { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),22)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),22)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "22" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-SSH-From-Internet" } ] } @@ -1123,6 +1351,14 @@ "vnetDiagnosticsLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" + }, + "denyRdpFromInternet": { + "type": "string", + "defaultValue": "Deny" + }, + "denySshFromInternet": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ @@ -1341,6 +1577,30 @@ "value": "[[parameters('vnetDiagnosticsLogAnalyticsWorkspaceId')]" } } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[8].name)]", + "policyDefinitionReferenceId": "Deny-Rdp-From-Internet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('denyRdpFromInternet')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[9].name)]", + "policyDefinitionReferenceId": "Deny-Ssh-From-Internet", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('denySshFromInternet')]" + } + } } ] } From 0f37ba3514dd51d985aa821ea9feb385fce7a2de Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 14:19:26 +0000 Subject: [PATCH 25/56] erDiag --- .../Compliant-NetworkPolicySetDefinition.json | 187 +++++++++++++++++- 1 file changed, 186 insertions(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 080abe11..40d42569 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -973,7 +973,7 @@ }, "name": "Dine-Diagnostics-Vnet" }, - { + { "properties": { "displayName": "RDP access from the Internet should be blocked", "description": "This policy denies any network security rule that allows RDP access from Internet", @@ -1200,6 +1200,168 @@ } }, "name": "Deny-SSH-From-Internet" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-ExpressRouteCircuit" } ] } @@ -1359,6 +1521,14 @@ "denySshFromInternet": { "type": "string", "defaultValue": "Deny" + }, + "erDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ @@ -1601,6 +1771,21 @@ "value": "[[parameters('denySshFromInternet')]" } } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[10].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-ExpressRoute", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('erDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('erDiagnosticsLogAnalyticsWorkspaceId')]" + } + } } ] } From b8a31a554092977ba29732a23aa00cad9b72b64b Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Fri, 24 Feb 2023 15:54:34 +0000 Subject: [PATCH 26/56] updated data export with description --- .../referenceImplementations/fsiPortalV2.json | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 87225586..b559b77b 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -260,53 +260,56 @@ "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", "defaultValue": "", "multiselect": true, + "multiLine": true, "selectAll": true, + "defaultDescription": "Select the tables you want to export to Event Hub", "filter": true, "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", "constraints": { "allowedValues": [ { "label": "Security Alert", + "description": "Table used by Defender for Cloud and Microsoft Sentinel for alerts", "value": "SecurityAlert" }, { "label": "Security Baseline", + "description": "Table used by Defender for Cloud security baseline for Virtual Machines, VMWare, Azure Stack HCI, SCVMM, and Virtual Machine Scale Sets", "value": "SecurityBaseline" }, { "label": "Security Baseline Summary", + "description": "Table used by Defender for Cloud security baseline summary for Virtual Machines, VMWare, Azure Stack HCI, and SCVMM", "value": "SecurityBaselineSummary" }, { "label": "Security Detection", + "description": "Table used by Security and Audit solution for Log Analytics workspace", "value": "SecurityDetection" }, { "label": "Security Event", + "description": "Table used by Security and Audit solution for Log Analytics workspace and Microsoft Sentinel", "value": "SecurityEvent" }, { "label": "Security Incident", + "description": "Table used by Microsoft Sentinel", "value": "SecurityIncident" }, - { - "label": "Security IoT Raw Event", - "value": "SecurityIoTRawEvent" - }, - { - "label": "Security Nested Recommendation", - "value": "SecurityNestedRecommendation" - }, { "label": "Security Recommendation", + "description": "Table used by Defender for Cloud and Security and Audit solution for Log Analytics workspace", "value": "SecurityRecommendation" }, { "label": "Sentinel Audit", + "description": "Table used by Microsoft Sentinel", "value": "SentinelAudit" }, { "label": "Sentinel Health", + "description": "Table used by Microsoft Sentinel", "value": "SentinelHealth" } ] @@ -2664,4 +2667,4 @@ "location": "[steps('basics').resourceScope.location.name]" } } -} +} \ No newline at end of file From 3e9a2edb6b5d77e8b0a44ef23f9f585c0a998e1f Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 26 Feb 2023 16:41:28 +0100 Subject: [PATCH 27/56] adding sub for ingress and egress --- .../DENY-RegionsPolicyAssignment.json | 8 +- .../DINE-DefenderForVms.json | 7 - .../policyDefinitions/policies.json | 48 +++ .../subscriptionTemplates/ingress-egress.json | 353 ++++++++++++++++++ .../referenceImplementations/fsiPortalV2.json | 334 ++++++++++++++++- .../industryArmV2.json | 285 +++++++++++++- 6 files changed, 1016 insertions(+), 19 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json index 1fa5a973..fe66d68c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DENY-RegionsPolicyAssignment.json @@ -2,6 +2,12 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -17,7 +23,7 @@ }, "variables": { "policyDefinitions": { - "azureRegions": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" + "azureRegions": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Location')]" }, "policyAssignmentNames": { "regions": "Deny-Azure-Regions", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json index 7b291c3b..4559b892 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/DINE-DefenderForVms.json @@ -2,13 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "maxLength": 10, - "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Afo." - } - }, "enforcementMode": { "type": "string", "allowedValues": [ diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json index b92cee7e..07dfd010 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/policies.json @@ -1082,6 +1082,54 @@ }, "name": "Deploy-Custom-Route-Table" }, + { + + "properties": { + "displayName": "Allowed locations for Landing Zone workloads", + "policyType": "Custom", + "mode": "Indexed", + "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", + "metadata": { + "category": "General" + }, + "parameters": { + "listOfAllowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying resources.", + "strongType": "location" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "location", + "notIn": "[[parameters('listOfAllowedLocations')]" + }, + { + "field": "location", + "notEquals": "global" + }, + { + "field": "type", + "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories" + }, + { + "field": "type", + "notEquals": "Microsoft.Resources/deployments" + } + ] + }, + "then": { + "effect": "deny" + } + } + }, + "name": "Deny-Location" + }, { "properties": { "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", diff --git a/foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json b/foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json new file mode 100644 index 00000000..2b2c330d --- /dev/null +++ b/foundations/azure/referenceImplementations/core/subscriptionTemplates/ingress-egress.json @@ -0,0 +1,353 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the HUB" + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be deployed or not." + } + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "Select whether the DDoS Standard protection plan should be enabled or not." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the ingress/egress connectivity subscription." + } + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for Azure Firewall." + } + }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallZones": { + "type": "array", + "defaultValue": [] + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "ingressOrEgress": { + "type": "string", + "defaultValue": "" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnet-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('ingressOrEgress'), '-', parameters('location'))]", + "azFwIpName": "[concat(variables('azFwName'), '-pip')]", + "azFwSubnetId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallSubnet')]", + "azFwPipId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwIpName'))]", + "hubId": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/virtualNetworks/', variables('hubName'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", + // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency + "fwSubnet": [ + { + "name": "AzureFirewallSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForAzFw')]" + } + } + ], + "ddosProtectionPlanId": { + "id": "[parameters('ddosPlanResourceId')]" + }, + "azFirewallPolicyId": { + "id": "[concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]" + }, + "azFirewallDnsSettings": { + "enableProxy": true + } + }, + "resources": [ + { + // Conditionally deploy virtual network hub + "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('subscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat(parameters('ingressOrEgress'), '-connectivity-', deployment().location)]", + "subscriptionId": "[parameters('subscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "name": "[variables('hubName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2022-01-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": "[ + if( + not(empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]') + ) + ]", + "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", + "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" + } + }, + { + "condition": "[not(empty(parameters('logAnalyticsWorkspaceId')))]", + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('hubName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "name": "[variables('azFwIpName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwIpName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyName')]", + "location": "[parameters('location')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azfwname')]", + "location": "[parameters('location')]", + "zones": "[if(not(empty(parameters('firewallZones'))), parameters('firewallZones'), json('null'))]", + "dependsOn": [ + "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "sku": { + "name": "AZFW_VNet", + "tier": "[parameters('firewallSku')]" + }, + "ipConfigurations": [ + { + "name": "[variables('azFwIpName')]", + "properties": { + "subnet": { + "id": "[variables('azFwSubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('azFwPipId')]" + } + } + } + ], + "firewallPolicy": "[variables('azFirewallPolicyId')]" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('logAnalyticsWorkspaceId'))))]", + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(variables('azFwName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/azureFirewalls/', variables('azFwName'))]" + ], + "properties": { + "workspaceId": "[parameters('logAnalyticsWorkspaceId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index b559b77b..9befffe2 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -238,7 +238,7 @@ "name": "esEventHub", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", - "defaultValue": "Yes", + "defaultValue": "No", "toolTip": "If 'Yes' is selected when also adding a subscription for management, Log Analytics workspace will be created in the dedicated subscription and enable additional configuration options in the deployment wizard.", "constraints": { "allowedValues": [ @@ -258,7 +258,11 @@ "name": "esEventHubDataExports", "type": "Microsoft.Common.DropDown", "label": "Enable Log Analytics Data Export to Event Hub for SIEM integration", - "defaultValue": "", + "defaultValue": [ + "Security Alert", + "Security Event", + "Security Incident" + ], "multiselect": true, "multiLine": true, "selectAll": true, @@ -1895,7 +1899,7 @@ ] } }, - { + { "name": "esAddressFw", "type": "Microsoft.Common.TextBox", "label": "Subnet for Azure Firewall", @@ -1927,6 +1931,318 @@ } ] } + }, + { + "name": "esDedicatedInboundSub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use dedicated subscriptions for Internet ingress", + "defaultValue": "No", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, you can optionally add dedicated subscription for ingess and egress", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNwAdditionalSubSectionIngress", + "type": "Microsoft.Common.Section", + "label": "Internet ingress subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwIngress", + "label": "Ingress subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]" + }, + { + "name": "esAddressIngress", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for the virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/16)", + "defaultValue": "10.200.0.0/16", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAzFwIngress", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Firewall will be created using the same configuration as used in the connectivity hub", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAddressFwIngress", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall for ingress", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/24)", + "defaultValue": "10.200.0.0/24", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFwIngress, 'Yes'), equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressIngress, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressIngress, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressIngress, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressIngress, '/')), last(split(steps('esConnectivityGoalState').esAddressFwIngress, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esAzFwSkuIngress", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFwIngress, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFwAzIngress", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esDedicatedInboundSub, 'Yes'), and(equals(steps('esConnectivityGoalState').esAzFwIngress,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "esDedicatedOutboundSub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use dedicated subscriptions for Internet egress", + "defaultValue": "No", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, you can optionally add dedicated subscription for ingess and egress", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esNwAdditionalSubSectionEgress", + "type": "Microsoft.Common.Section", + "label": "Internet egress subscription", + "elements": [ + { + "type": "Microsoft.Common.SubscriptionSelector", + "name": "esNwEgress", + "label": "Internet egress subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]" + }, + { + "name": "esAddressEgress", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for the virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.210.0.0/16)", + "defaultValue": "10.210.0.0/16", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAzFwEgress", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Firewall will be created using the same configuration as used in the connectivity hub", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAddressFwEgress", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall for ingress", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.210.0.0/24)", + "defaultValue": "10.210.0.0/24", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFwEgress, 'Yes'), equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), 8), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressEgress, '/')), '.'), 1)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), 16), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressEgress, '/')), '.'), 2)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), 24), equals(last(take(split(first(split(steps('esConnectivityGoalState').esAddressEgress, '/')), '.'), 3)), last(take(split(first(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('esConnectivityGoalState').esAddressEgress, '/')), last(split(steps('esConnectivityGoalState').esAddressFwEgress, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "esAzFwSkuEgress", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFwEgress, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFwAzEgress", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esDedicatedOutboundSub, 'Yes'), and(equals(steps('esConnectivityGoalState').esAzFwEgress,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } }, { "name": "nwSecurity", @@ -2661,6 +2977,18 @@ "enablePrivateDnsResolver": "[steps('esConnectivityGoalState').esPrivateDnsResolver]", "subnetMaskForDnsResolverInbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound]", "subnetMaskForDnsResolverOutbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound]", + "ingressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionIngress.esNwIngress.subscriptionId]", + "egressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionEgress.esNwEgress.subscriptionId]", + "addressPrefixIngress": "[steps('esConnectivityGoalState').esAddressIngress]", + "addressPrefixEgress": "[steps('esConnectivityGoalState').esAddressEgress]", + "enableAzFwIngress": "[steps('esConnectivityGoalState').esAzFwIngress]", + "enableAzFwEgress": "[steps('esConnectivityGoalState').esAzFwEgress]", + "subnetMaskForAzFwIngress": "[steps('esConnectivityGoalState').esAddressFwIngress]", + "subnetMaskForAzFwEgress": "[steps('esConnectivityGoalState').esAddressFwEgress]", + "firewallSkuIngress": "[steps('esConnectivityGoalState').esAzFwSkuIngress]", + "firewallSkuEgress": "[steps('esConnectivityGoalState').esAzFwSkuEgress]", + "firewallZonesIngress": "[steps('esConnectivityGoalState').esFwAzIngress]", + "firewallZonesEgress": "[steps('esConnectivityGoalState').esFwAzEgress]", "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.lzConnectedSubs,'')]" }, "kind": "Tenant", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 71b82c0f..9cc459d6 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -35,6 +35,22 @@ "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for networking." } }, + "ingressSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for ingress." + } + }, + "egressSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for egress." + } + }, "identitySubscriptionId": { "type": "string", "defaultValue": "", @@ -334,6 +350,14 @@ "type": "string", "defaultValue": "" }, + "addressPrefixIngress": { + "type": "string", + "defaultValue": "" + }, + "addressPrefixEgress": { + "type": "string", + "defaultValue": "" + }, "enableVpnGw": { "type": "string", "defaultValue": "No", @@ -372,6 +396,22 @@ ], "defaultValue": "No" }, + "enableAzFwIngress": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwEgress": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, "enableAzFwDnsProxy": { "type": "string", "allowedValues": [ @@ -401,17 +441,17 @@ "type": "string", "defaultValue": "" }, - "subnetMaskForGw": { + "subnetMaskForAzFwIngress": { "type": "string", "defaultValue": "" }, - "enablePrivateDnsResolver": { + "subnetMaskForAzFwEgress": { "type": "string", - "defaultValue": "No", - "allowedValues": [ - "Yes", - "No" - ] + "defaultValue": "" + }, + "subnetMaskForGw": { + "type": "string", + "defaultValue": "" }, "subnetMaskForDnsResolverInbound": { "type": "string", @@ -453,10 +493,34 @@ ], "defaultValue": "Standard" }, + "firewallSkuIngress": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallSkuEgress": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, "firewallZones": { "type": "array", "defaultValue": [] }, + "firewallZonesIngress": { + "type": "array", + "defaultValue": [] + }, + "firewallZonesEgress": { + "type": "array", + "defaultValue": [] + }, "singlePlatformSubscriptionId": { "type": "string", "defaultValue": "", @@ -612,6 +676,7 @@ "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/nvahubspoke-connectivity.json')]", + "ingressAndEgress": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/ingress-egress.json')]", "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]", "monitoring": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/logAnalyticsWorkspace.json')]", "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/resourceGroup.json')]", @@ -702,6 +767,8 @@ "databricksClusterDeploymentName": "[take(concat(parameters('industry'), '-DBCluster', variables('deploymentSuffix')), 64)]", "corpPeeringDeploymentName": "[take(concat(parameters('industry'), '-CorpPeering', variables('deploymentSuffix')), 60)]", "connectivitySubscriptionPlacement": "[take(concat(parameters('industry'), '-ConnectivitySub', variables('deploymentSuffix')), 64)]", + "ingressSubscriptionPlacement": "[take(concat(parameters('industry'), '-IngressSub', variables('deploymentSuffix')), 64)]", + "egressSubscriptionPlacement": "[take(concat(parameters('industry'), '-EgressSub', variables('deploymentSuffix')), 64)]", "identitySubscriptionPlacement": "[take(concat(parameters('industry'), '-IdentitySub', variables('deploymentSuffix')), 64)]", "policyDeploymentName": "[take(concat(parameters('industry'), '-Policy', variables('deploymentSuffix')), 64)]", "dataPolicyDeploymentName": "[take(concat(parameters('industry'),'-Data-Policy', variables('deploymentSuffix')), 64)]", @@ -720,6 +787,8 @@ "ascPolicyDeploymentName": "[take(concat(parameters('industry'), '-ASC', variables('deploymentSuffix')), 64)]", "ascGovPolicyDeploymentName": "[take(concat(parameters('industry'), '-Gov-ASC', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-HubSpoke', variables('deploymentSuffix')), 64)]", + "ingressDeploymentName": "[take(concat(parameters('industry'), '-Ingress', variables('deploymentSuffix')), 64)]", + "egressDeploymentName": "[take(concat(parameters('industry'), '-Egress', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-VWanHub', variables('deploymentSuffix')), 64)]", "nvaConnectivityHubDeploymentName": "[take(concat(parameters('industry'), '-NVAHub', variables('deploymentSuffix')), 64)]", "azVmMonitorPolicyDeploymentName": "[take(concat(parameters('industry'), '-AzVmMonitor', variables('deploymentSuffix')), 64)]", @@ -1635,6 +1704,60 @@ } } }, + { + // Placing internet ingress subscription into dedicated management group + "condition": "[not(empty(parameters('ingressSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ingressSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('ingressSubscriptionId')]" + } + } + } + }, + { + // Placing internet egress subscription into dedicated management group + "condition": "[not(empty(parameters('egressSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').egressSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('egressSubscriptionId')]" + } + } + } + }, { // Placing identity subscription into dedicated management group "condition": "[not(empty(parameters('identitySubscriptionId')))]", @@ -2348,6 +2471,148 @@ } } }, + { + // Creating the ingress subscription + "condition": "[and(not(empty(parameters('ingressSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').ingressDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ingressSubscriptionPlacement)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ingressAndEgress]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwIngress')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixIngress')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "subscriptionId": { + "value": "[parameters('ingressSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwIngress')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuIngress')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesIngress')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "ingressOrEgress": { + "value": "ingress" + } + } + } + }, + { + // Creating the egress subscription + "condition": "[and(not(empty(parameters('egressSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').egressDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').egressSubscriptionPlacement)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ingressAndEgress]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwEgress')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixEgress')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "subscriptionId": { + "value": "[parameters('egressSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwEgress')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuEgress')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesEgress')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "ingressOrEgress": { + "value": "egress" + } + } + } + }, { // Creating the virtual network hub (with NVA) "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", @@ -2678,7 +2943,8 @@ "scope": "[variables('scopes').lzsManagementGroup]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion" ], "properties": { "mode": "Incremental", @@ -2687,6 +2953,9 @@ "uri": "[variables('deploymentUris').allowedRegionsPolicyAssignment]" }, "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, "listOfAllowedLocations": { "value": [ "Global", From 6f65fb1f66c3ab54be181d59c8e8be78f367ff6f Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 26 Feb 2023 18:10:56 +0100 Subject: [PATCH 28/56] adding assignments --- .../Compliant-ComputePolicyAssignment.json | 75 +++++++++ ...mpliant-ContainerAppsPolicyAssignment.json | 56 +++++++ ...ontainerInstancePolicyAssignment copy.json | 56 +++++++ ...ant-ContainerRegistryPolicyAssignment.json | 74 +++++++++ .../Compliant-NetworkPolicySetDefinition.json | 12 +- .../referenceImplementations/fsiPortalV2.json | 28 +++- .../industryArmV2.json | 150 +++++++++++++++++- 7 files changed, 442 insertions(+), 9 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json new file mode 100644 index 00000000..a2af4a06 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "diskPrivateDns": { + "type": "string", + "metadata": { + "description": "Select if policy should be enforced or not" + } + }, + "diskPrivateDnsZoneId": { + "type": "string", + "metadata": { + "description": "Provide the Private DNS Zone ID for disk" + } + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compute": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Compute')]" + }, + "policyAssignmentNames": { + "compute": "Compliant-Compute", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Compute for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').compute]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compute]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "diskPrivateDns": { + "value": "[parameters('diskPrivateDns')]" + }, + "diskPrivateDnsZoneId": { + "value": "[parameters('diskPrivateDnsZoneId')]" + } + } + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json new file mode 100644 index 00000000..152639e1 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "conApps": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerApps')]" + }, + "policyAssignmentNames": { + "con": "Compliant-ContainerApps", + "description": "This policy initiative is a group of policies that ensures Container Apps are compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Container Apps for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').con]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').conApps]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json new file mode 100644 index 00000000..b02315a7 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "conInstance": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerInstance')]" + }, + "policyAssignmentNames": { + "con": "Compliant-ContainerInstance", + "description": "This policy initiative is a group of policies that ensures Container Instance is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Container Instance for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').con]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').conInstance]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + + ], + "outputs": {} +} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json new file mode 100644 index 00000000..6e38a8b7 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "containerRegistryPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "containerRegistryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "conRegistry": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerRegistry')]" + }, + "policyAssignmentNames": { + "con": "Compliant-ContainerRegistry", + "description": "This policy initiative is a group of policies that ensures Container Registry is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Container Registry for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').con]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').conRegistry]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "containerRegistryPrivateDnsZone": { + "value": "[parameters('containerRegistryPrivateDnsZone')]" + }, + "containerRegistryPrivateDnsZoneId": { + "value": "[parameters('containerRegistryPrivateDnsZoneId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 40d42569..83d2c0db 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -51,6 +51,8 @@ { "field": "name", "notIn": [ + "GatewaySubnet", + "AzureFirewallSubnet", "AzureFirewallManagementSubnet", "AzureBastionSubnet" ] @@ -75,7 +77,10 @@ { "field": "Microsoft.Network/virtualNetworks/subnets[*].name", "notIn": [ - "AzureFirewallManagementSubnet" + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" ] } ] @@ -137,7 +142,7 @@ "GatewaySubnet", "AzureFirewallSubnet", "AzureFirewallManagementSubnet", - "AzureBastion" + "AzureBastionSubnet" ] }, { @@ -166,7 +171,8 @@ "notIn": [ "GatewaySubnet", "AzureFirewallSubnet", - "AzureFirewallManagementSubnet" + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" ] }, { diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 9befffe2..be4b3596 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -562,10 +562,14 @@ "App Service", "Automation", "Backup", + "Compute", + "Container Apps", + "Container Instance", + "Container Registry", + "Cosmos DB", "Key Vault", "SQL", - "Service Bus", - "Cosmos DB", + "Service Bus", "Open AI", "Event Grid", "Event Hub", @@ -604,6 +608,26 @@ "description": "Azure policies will ensure secure by-default compliance for Backup and Recovery Services vaults, enforce immutable backups, encryption, and private over private endpoint.", "value": "Backup" }, + { + "label": "Compute", + "description": "Azure policies will ensure secure by-default compliance for Compute, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "Compmute" + }, + { + "label": "Container Apps", + "description": "Azure policies will ensure secure by-default compliance for Container Apps, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "ContainerApps" + }, + { + "label": "Container Instance", + "description": "Azure policies will ensure secure by-default compliance for Container Instance, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "ContainerInstance" + }, + { + "label": "Container Registry", + "description": "Azure policies will ensure secure by-default compliance for Container Registry, enforce access via private endpoints, encyrption of variables and centralized authorization.", + "value": "ContainerRegistry" + }, { "label": "Key Vault", "description": "Azure policies will ensure secure by-default compliance for Key Vaults, secrets, keys, and certificates, enforce access via private endpoints, purge protection, and centralized logging.", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 9cc459d6..34bd9ede 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -654,10 +654,14 @@ "compliantAutomationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json')]", "compliantBackupPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json')]", "compliantBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json')]", - "compliantComputePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json')]", + "compliantComputePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json')]", + "compliantComputePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json')]", "compliantContainerAppsPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerAppsPolicySetDefinition.json')]", + "compliantContainerAppsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerAppsPolicyAssignment.json')]", "compliantContainerInstancePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerInstancePolicySetDefinition.json')]", + "compliantContainerInstancePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json')]", "compliantContainerRegistryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json')]", + "compliantContainerRegistryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json')]", "compliantCosmosDbPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json')]", "compliantDataExplorerPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json')]", "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", @@ -836,8 +840,12 @@ "budgetDeploymentName": "[take(concat(parameters('industry'), '-Budget', variables('deploymentSuffix')), 64)]", // Compliant Azure Service Policy Assignment deployment names "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", - "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantComputeAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", // Telco specific policies assignment deployments @@ -990,7 +998,8 @@ "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", "azureBackupPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.backup.windowsazure.com')]", "azureBackupBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", - "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", + "azureManagedDiskPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]", "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]", @@ -1007,6 +1016,7 @@ "azureEventGridDomainsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.windows.net')]", "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", + "azureContainerRegistryPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.azurecr.io')]", "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", @@ -3219,6 +3229,138 @@ } } }, + { // Creating Policy Assignment Compliant Compute to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Compute')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantComputeAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantComputeDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantComputePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "diskPrivateDns": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "diskPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureManagedDiskPrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Container Apps to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ContainerApps')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantContainerAppsAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantContainerAppsDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerAppsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Container Instance to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ContainerInstance')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantContainerInstanceAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantContainerInstanceDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerInstancePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Container Registry to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ContainerRegistry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantContainerRegistryAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantContainerRegistryDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantContainerRegistryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "containerRegistryPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "containerRegistryPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, { // Creating Policy Assignment Compliant Key Vault to Landing Zone scope "condition": "[contains(parameters('compliantAzureServices'), 'KeyVault')]", "type": "Microsoft.Resources/deployments", @@ -3260,7 +3402,7 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } - }, + }, /* The following section will optionally configure the governance for the Identity management group for the platform */ From f9b4b927683841e83aeb91d8f6665586304b757c Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Sun, 26 Feb 2023 20:41:30 +0100 Subject: [PATCH 29/56] name lenght --- ...nt-ContainerInstancePolicyAssignment.json} | 2 +- ...ant-ContainerRegistryPolicyAssignment.json | 2 +- ...Compliant-CosmosDbPolicySetDefinition.json | 186 +++++++++++++++++- .../referenceImplementations/fsiPortalV2.json | 6 +- 4 files changed, 190 insertions(+), 6 deletions(-) rename foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/{Compliant-ContainerInstancePolicyAssignment copy.json => Compliant-ContainerInstancePolicyAssignment.json} (97%) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json similarity index 97% rename from foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json rename to foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json index b02315a7..3c6f29ee 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment copy.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerInstancePolicyAssignment.json @@ -25,7 +25,7 @@ "conInstance": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerInstance')]" }, "policyAssignmentNames": { - "con": "Compliant-ContainerInstance", + "con": "Compliant-ConInstance", "description": "This policy initiative is a group of policies that ensures Container Instance is compliant per FSI Landing Zones", "displayName": "Enforce secure-by-default Container Instance for Financial Services Industry" } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json index 6e38a8b7..13846007 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json @@ -37,7 +37,7 @@ "conRegistry": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-ContainerRegistry')]" }, "policyAssignmentNames": { - "con": "Compliant-ContainerRegistry", + "con": "Compliant-ConRegistry", "description": "This policy initiative is a group of policies that ensures Container Registry is compliant per FSI Landing Zones", "displayName": "Enforce secure-by-default Container Registry for Financial Services Industry" } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json index 41433369..9387dbf7 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json @@ -9,9 +9,170 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-CosmosDb" + } ] } }, @@ -114,9 +275,32 @@ "cosmosDbModifyLocalAuth": { "type": "string", "defaultValue": "Modify" + }, + "cosmosDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-CosmosDb", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('cosmosLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index be4b3596..f55995f8 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -611,7 +611,7 @@ { "label": "Compute", "description": "Azure policies will ensure secure by-default compliance for Compute, enforce access via private endpoints, encyrption of variables and centralized authorization.", - "value": "Compmute" + "value": "Compute" }, { "label": "Container Apps", @@ -1959,7 +1959,7 @@ { "name": "esDedicatedInboundSub", "type": "Microsoft.Common.OptionsGroup", - "label": "Use dedicated subscriptions for Internet ingress", + "label": "Use a dedicated subscription for Internet ingress", "defaultValue": "No", "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, you can optionally add dedicated subscription for ingess and egress", @@ -2115,7 +2115,7 @@ { "name": "esDedicatedOutboundSub", "type": "Microsoft.Common.OptionsGroup", - "label": "Use dedicated subscriptions for Internet egress", + "label": "Use s dedicated subscription for Internet egress", "defaultValue": "No", "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, you can optionally add dedicated subscription for ingess and egress", From 60b428db28da2ab528d46b74ec4af44d2ec88987 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 27 Feb 2023 11:17:18 +0100 Subject: [PATCH 30/56] updated KV and adding cosmosDb --- .../Compliant-CosmosDbPolicyAssignment.json | 99 ++++++++++++ .../Compliant-KeyVaultPolicyAssignment.json | 20 ++- ...Compliant-KeyVaultPolicySetDefinition.json | 30 ++++ ...nt-MachineLearningPolicySetDefinition.json | 30 ++++ .../Compliant-NetworkPolicySetDefinition.json | 152 +++++++++++++++++- .../industryArmV2.json | 54 +++++++ 6 files changed, 382 insertions(+), 3 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json new file mode 100644 index 00000000..4f22a53f --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json @@ -0,0 +1,99 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "cosmosDbPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosDbPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantCosmos": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-CosmosDb')]" + }, + "policyAssignmentNames": { + "cosmos": "Compliant-CosmosDb", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Key Vault for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').cosmos]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantCosmos]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "cosmosDbPrivateDnsZone": { + "value": "[parameters('cosmosDbPrivateDnsZone')]" + }, + "cosmosDbPrivateDnsZoneId": { + "value": "[parameters('cosmosDbPrivateDnsZoneId')]" + }, + "cosmosDbPrivateEndpointGroupId": { + "value": "[parameters('cosmosDbPrivateEndpointGroupId')]" + }, + "cosmosDiagnostics": { + "value": "[parameters('cosmosDiagnostics')]" + }, + "cosmosLogAnalyticsWorkspaceId": { + "value": "[parameters('cosmosLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json index 0958d8ba..da76fecf 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json @@ -44,6 +44,17 @@ "Disabled" ] }, + "hsmDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "hsmLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, "userAssignedIdentityResourceId": { "type": "string" } @@ -87,11 +98,16 @@ }, "keyVaultDiagnostics": { "value": "[parameters('keyVaultDiagnostics')]" + }, + "hsmDiagnostics": { + "value": "[parameters('hsmDiagnostics')]" + }, + "hsmLogAnalyticsWorkspaceId": { + "value": "[parameters('hsmLogAnalyticsWorkspaceId')]" } } } } - ], "outputs": {} -} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json index 96623194..bbdd0383 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json @@ -218,9 +218,39 @@ "secretsActive": { "type": "string", "defaultValue": "Deny" + }, + "hsmDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "hsmLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "hsmLogCategories": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b88bfd90-4da5-43eb-936f-ae1481924291", + "policyDefinitionReferenceId": "Dine-Diagnostics-Hsm", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('hsmDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('hsmLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('hsmLogCategories')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", "policyDefinitionReferenceId": "Deny-KV-Secret-AvticeDays", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json index 993f55d9..621d7953 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json @@ -162,9 +162,39 @@ "mlCmk": { "type": "string", "defaultValue": "Deny" + }, + "mlDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "mlLogCategories": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90c90eda-bfe7-4c67-bf26-410420ed1047", + "policyDefinitionReferenceId": "Dine-Diagnostics-Ml", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlDiagnotics')]" + }, + "logAnalytics": { + "value": "[[parameters('mlLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('mlLogCategories')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", "policyDefinitionReferenceId": "Deny-ML-Cmk", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 83d2c0db..0381ff2a 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -4,7 +4,7 @@ "parameters": { "topLevelManagementGroupPrefix": { "type": "string", - "defaultValue": "" + "defaultValue": "FSIDemo" } }, "variables": { @@ -1535,9 +1535,159 @@ "erDiagnosticsLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" + }, + "bastionDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "bastionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "bastionLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "fdCdnDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "fdCdnLogAnalyticsWorkpaceId": { + "type": "string", + "defaultValue": "" + }, + "fdCdnLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "pipDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "pipLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "pipLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "gwDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "gwLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "gwLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "p2sDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "p2sLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "p2sLogCategories": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cac9e1c5-c3cb-47fa-8d4c-88b8559262d2", + "policyDefinitionReferenceId": "Dine-Diagnostics-P2S", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('p2sDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('p2sLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('p2sLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed6ae75a-828f-4fea-88fd-dead1145f1dd", + "policyDefinitionReferenceId": "Dine-Diagnostics-Gw", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('gwDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('gwLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('gwLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1513498c-3091-461a-b321-e9b433218d28", + "policyDefinitionReferenceId": "Dine-Diagnostics-Pip", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('pipDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('pipLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('pipLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b", + "policyDefinitionReferenceId": "Dine-Diagnostics-FdCdn", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('fdCdnDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('fdCdnLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('fdCdnLogAnalyticsWorkpaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8352124-56fa-4f94-9441-425109cdc14b", + "policyDefinitionReferenceId": "Dine-Diagnostics-Bastion", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('bastionDiagnostics')]" + }, + "categoryGroup": { + "value": "[[parameters('bastionLogCategories')]" + }, + "logAnalytics": { + "value": "[[parameters('bastionLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 34bd9ede..c5c7ffe0 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -663,6 +663,7 @@ "compliantContainerRegistryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json')]", "compliantContainerRegistryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json')]", "compliantCosmosDbPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json')]", + "compliantCosmosDbPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json')]", "compliantDataExplorerPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json')]", "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", "compliantEventGridPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json')]", @@ -841,6 +842,7 @@ // Compliant Azure Service Policy Assignment deployment names "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", "compliantComputeAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", @@ -996,6 +998,7 @@ "baseId": "[concat(variables('platformResourceIds').privateDnsRgResourceId, '/providers/Microsoft.Network/privateDnsZones/')]", "privateDnsPolicyParameterMapping": { "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", + "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", "azureBackupPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.backup.windowsazure.com')]", "azureBackupBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", @@ -3360,6 +3363,51 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } + }, + { // Creating Policy Assignment Compliant Cosmos Db to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'CosmosDb')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantCosmosDbAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantCosmosDbDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCosmosDbPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "cosmosDbPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "cosmosDbPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCosmosTablePrivateDnsZoneId, '')]" + }, + "cosmosDbPrivateEndpointGroupId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" + }, + "cosmosDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "cosmosLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } }, { // Creating Policy Assignment Compliant Key Vault to Landing Zone scope "condition": "[contains(parameters('compliantAzureServices'), 'KeyVault')]", @@ -3396,6 +3444,12 @@ "keyVaultLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, + "hsmDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "hsmLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" } From cf97be81854a669b75a8f57bb698224ffd61c5de Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 27 Feb 2023 12:53:02 +0100 Subject: [PATCH 31/56] more data stuff --- ...ant-ContainerRegistryPolicyAssignment.json | 18 ++ .../Compliant-CosmosDbPolicyAssignment.json | 2 +- ...ompliant-DataExplorerPolicyAssignment.json | 74 ++++++ ...Compliant-DataFactoryPolicyAssignment.json | 96 ++++++++ ...-ContainerRegistryPolicySetDefinition.json | 31 ++- ...liant-DataExplorerPolicySetDefinition.json | 233 ++++++++++++++++++ ...pliant-DataFactoryPolicySetDefinition.json | 186 +++++++++++++- ...nt-MachineLearningPolicySetDefinition.json | 2 +- .../referenceImplementations/fsiPortalV2.json | 12 + .../industryArmV2.json | 97 +++++++- 10 files changed, 744 insertions(+), 7 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json index 13846007..2d0cc8d9 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json @@ -28,6 +28,18 @@ "type": "string", "defaultValue": "" }, + "containerRegistryDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, "userAssignedIdentityResourceId": { "type": "string" } @@ -65,6 +77,12 @@ }, "containerRegistryPrivateDnsZoneId": { "value": "[parameters('containerRegistryPrivateDnsZoneId')]" + }, + "containerRegistryDiagnostics": { + "value": "[parameters('containerRegistryDiagnostics')]" + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "value": "[parameters('containerRegistryLogAnalyticsWorkspaceId')]" } } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json index 4f22a53f..f7b876b9 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json @@ -55,7 +55,7 @@ "policyAssignmentNames": { "cosmos": "Compliant-CosmosDb", "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per FSI Landing Zones", - "displayName": "Enforce secure-by-default Key Vault for Financial Services Industry" + "displayName": "Enforce secure-by-default Cosmos DB for Financial Services Industry" } }, "resources": [ diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json new file mode 100644 index 00000000..0862ebf0 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "adeDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "adeLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAde": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Data-Explorer')]" + }, + "policyAssignmentNames": { + "ade": "Compliant-DEx", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Data Explorer for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').ade]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAde]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "adeDiagnostics": { + "value": "[parameters('adeDiagnostics')]" + }, + "adeLogAnalyticsWorkspaceId": { + "value": "[parameters('adeLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json new file mode 100644 index 00000000..78fe6964 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json @@ -0,0 +1,96 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "adfPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "adfPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny" + }, + "adfDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "adfLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAdf": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-DataFactory')]" + }, + "policyAssignmentNames": { + "adf": "Compliant-DataFactory", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Data Factory for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').adf]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAdf]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "adfPrivateDnsZone": { + "value": "[parameters('adfPrivateDnsZone')]" + }, + "adfDbPrivateDnsZoneId": { + "value": "[parameters('adfPrivateDnsZoneId')]" + }, + "adfDiagnostics": { + "value": "[parameters('adfDiagnostics')]" + }, + "adfLogAnalyticsWorkspaceId": { + "value": "[parameters('adfLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json index 20615017..d52d7158 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json @@ -9,7 +9,6 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ ] @@ -138,9 +137,39 @@ "containerRegistryModifyPublicNetworkAccess": { "type": "string", "defaultValue": "Modify" + }, + "containerRegistryDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryLogCategories": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56288eb2-4350-461d-9ece-2bb242269dce", + "policyDefinitionReferenceId": "Dine-Diagnostics-CR", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('containerRegistryLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('containerRegistryLogCategories')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Public-Network-Access", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json index e8540f7d..77a4ee45 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json @@ -11,6 +11,168 @@ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", "policies": { "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-ADE" + } ] } }, @@ -85,9 +247,80 @@ "adeDoubleEncryption": { "type": "string", "defaultValue": "Deny" + }, + "adeModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "adePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "adeSku": { + "type": "string", + "defaultValue": "Deny" + }, + "adeDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adeLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-ADE", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('adeLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", + "policyDefinitionReferenceId": "Deny-ADE-Sku-without-PL-Support", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeSku')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", + "policyDefinitionReferenceId": "Deny-ADE-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", + "policyDefinitionReferenceId": "Modify-ADE-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adeModifyPublicNetworkAccess')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", "policyDefinitionReferenceId": "Deny-ADE-Double-Encryption", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json index 4ee1e487..1522a29d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json @@ -9,9 +9,170 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.0.0", + "category": "Data Factory" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-DataFactory" + } ] } }, @@ -116,9 +277,32 @@ "adfManagedIdentity": { "type": "string", "defaultValue": "Deny" + }, + "adfDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-DataFactory", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('adfLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json index 621d7953..1ff691b8 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json @@ -185,7 +185,7 @@ ], "parameters": { "effect": { - "value": "[[parameters('mlDiagnotics')]" + "value": "[[parameters('mlDiagnostics')]" }, "logAnalytics": { "value": "[[parameters('mlLogAnalyticsWorkspaceId')]" diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index f55995f8..17bf236c 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -567,6 +567,8 @@ "Container Instance", "Container Registry", "Cosmos DB", + "Data Explorer", + "Data Factory", "Key Vault", "SQL", "Service Bus", @@ -648,6 +650,16 @@ "description": "Azure policies will ensure secure by-default compliance for Cosmos DB, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", "value": "CosmosDb" }, + { + "label": "Data Explorer", + "description": "Azure policies will ensure secure by-default compliance for Data Explorer, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "DataExplorer" + }, + { + "label": "Data Factory", + "description": "Azure policies will ensure secure by-default compliance for Data Factory, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "DataFactory" + }, { "label": "Open AI", "description": "Azure policies will ensure secure by-default compliance for Open AI, enforce access via private endpoints, centralized authorization, and centralized logging.", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index c5c7ffe0..19861d30 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -665,7 +665,9 @@ "compliantCosmosDbPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json')]", "compliantCosmosDbPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json')]", "compliantDataExplorerPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataExplorerPolicySetDefinition.json')]", + "compliantDataExplorerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-DataExplorerPolicyAssignment.json')]", "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", + "compliantDataFactoryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json')]", "compliantEventGridPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json')]", "compliantEventHubPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json')]", "compliantKeyVaultPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json')]", @@ -844,6 +846,8 @@ "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", "compliantCosmosDbAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", "compliantComputeAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADE', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADF', variables('deploymentSuffix')), 64)]", "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", @@ -946,6 +950,7 @@ "privatelink.mysql.database.azure.com", "privatelink.mariadb.database.azure.com", "privatelink.vaultcore.azure.net", + "privatelink.datafactory.azure.net", "[concat('privatelink.', parameters('location'), '.azmk8s.io')]", "privatelink.search.windows.net", "privatelink.azurecr.io", @@ -999,6 +1004,8 @@ "privateDnsPolicyParameterMapping": { "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", + "azureCosmosSqlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.documents.azure.com')]", + "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.net')]", "azureBackupPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.backup.windowsazure.com')]", "azureBackupBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", @@ -3357,6 +3364,12 @@ "containerRegistryPrivateDnsZoneId": { "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" }, + "containerRegistryDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "containerRegistryLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" } @@ -3391,10 +3404,10 @@ "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, "cosmosDbPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCosmosTablePrivateDnsZoneId, '')]" + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCosmosSqlPrivateDnsZoneId, '')]" }, "cosmosDbPrivateEndpointGroupId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" + "value": "Sql" }, "cosmosDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" @@ -3408,7 +3421,85 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } - }, + }, + { // Creating Policy Assignment Compliant Data Explorer to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'DataExplorer')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantDataExplorerAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantDataExplorerDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataExplorerPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "adeDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "adeLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Data Factory Vault to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'DataFactory')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantDataFactoryAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantDataFactoryDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantDataFactoryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "adfPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "adfDbPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" + }, + "adfDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "adfLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, { // Creating Policy Assignment Compliant Key Vault to Landing Zone scope "condition": "[contains(parameters('compliantAzureServices'), 'KeyVault')]", "type": "Microsoft.Resources/deployments", From 975c2280f8f82b8db13e6aaa11fce82df411432e Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 27 Feb 2023 12:57:10 +0100 Subject: [PATCH 32/56] removing 'db' --- .../Compliant-DataFactoryPolicyAssignment.json | 2 +- foundations/azure/referenceImplementations/industryArmV2.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json index 78fe6964..24480261 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json @@ -79,7 +79,7 @@ "adfPrivateDnsZone": { "value": "[parameters('adfPrivateDnsZone')]" }, - "adfDbPrivateDnsZoneId": { + "adfPrivateDnsZoneId": { "value": "[parameters('adfPrivateDnsZoneId')]" }, "adfDiagnostics": { diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 19861d30..ea764f85 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -3484,7 +3484,7 @@ "adfPrivateDnsZone": { "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "adfDbPrivateDnsZoneId": { + "adfPrivateDnsZoneId": { "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" }, "adfDiagnostics": { From 13a1c21720ff458a49e2ef9d334a84343c897e68 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 27 Feb 2023 15:05:13 +0100 Subject: [PATCH 33/56] compliant events --- .../Compliant-EventGridPolicyAssignment .json | 143 ++++++++++++++++++ .../Compliant-EventHubPolicyAssignment.json | 92 +++++++++++ ...ompliant-EventGridPolicySetDefinition.json | 91 ++++++++++- ...Compliant-EventHubPolicySetDefinition.json | 96 +++++++----- .../industryArmV2.json | 111 +++++++++++++- 5 files changed, 492 insertions(+), 41 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment .json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment .json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment .json new file mode 100644 index 00000000..ef564bfe --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment .json @@ -0,0 +1,143 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "eventGridDomainPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridDomainPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridTopicPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridPartnerDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantEg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Event-Grid')]" + }, + "policyAssignmentNames": { + "eg": "Compliant-Event-Grid", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Event Grid for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').eg]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantEg]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "eventGridDomainPrivateDnsZone": { + "value": "[parameters('eventGridDomainPrivateDnsZone')]" + }, + "eventGridDomainPrivateDnsZoneId": { + "value": "[parameters('eventGridDomainPrivateDnsZoneId')]" + }, + "eventGridTopicPrivateDnsZone": { + "value": "[parameters('eventGridTopicPrivateDnsZone')]" + }, + "eventGridTopicPrivateDnsZoneId": { + "value": "[parameters('eventGridTopicPrivateDnsZoneId')]" + }, + "eventGridPartnerDiagnostics": { + "value": "[parameters('eventGridPartnerDiagnostics')]" + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "value": "[parameters('eventGridPartnerLogAnalyticsWorkspaceId')]" + }, + "eventGridTopicDiagnostics": { + "value": "[parameters('eventGridTopicDiagnostics')]" + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "value": "[parameters('eventGridTopicLogAnalyticsWorkspaceId')]" + }, + "eventGridDomainDiagnostics": { + "value": "[parameters('eventGridDomainDiagnostics')]" + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "value": "[parameters('eventGridDomainLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json new file mode 100644 index 00000000..50759151 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json @@ -0,0 +1,92 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "eventHubNamespacesPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventHubNamespacesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventHubDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "eventHubLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantEh": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Event-Hub')]" + }, + "policyAssignmentNames": { + "eh": "Compliant-Event-Hub", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Event Grid for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').eh]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantEh]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "eventHubNamespacesPrivateDnsZone": { + "value": "[parameters('eventHubNamespacesPrivateDnsZone')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[parameters('eventHubNamespacesPrivateDnsZoneId')]" + }, + "eventHubDiagnostics": { + "value": "[parameters('eventHubDiagnostics')]" + }, + "eventHubLogAnalyticsWorkspaceId": { + "value": "[parameters('eventHubLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json index fcdd55f1..b5fb004b 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json @@ -9,7 +9,6 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ ] @@ -136,9 +135,99 @@ "eventGridTopicModifyPublicNetworkAccess": { "type": "string", "defaultValue": "Modify" + }, + "eventGridPartnerDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridPartnerLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "eventGridTopicDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicLogCategories": { + "type": "string", + "defaultValue": "allLogs" + }, + "eventGridDomainDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainLogCategories": { + "type": "string", + "defaultValue": "allLogs" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b90ec596-faa6-4c61-9515-34085703e260", + "policyDefinitionReferenceId": "Dine-Diagnostics-EventGrid-Domain", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventGridDomainLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('eventGridDomainLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46b2dd5d-3936-4347-8908-b298ea4466d3", + "policyDefinitionReferenceId": "Dine-Diagnostics-EventGrid-Topic", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventGridTopicLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('eventGridTopicLogCategories')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3496f6fd-57ba-485c-8a14-183c4493b781", + "policyDefinitionReferenceId": "Dine-Diagnostics-EventGrid-Partner", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventGridPartnerLogAnalyticsWorkspaceId')]" + }, + "categoryGroup": { + "value": "[[parameters('eventGridPartnerLogCategories')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json index 746d0ca7..2c8b300e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json @@ -9,7 +9,6 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { @@ -18,46 +17,46 @@ "mode": "Indexed", "description": "Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.", "metadata": { - "version": "1.0.0", - "category": "Event Hub" + "version": "1.0.0", + "category": "Event Hub" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.EventHub/namespaces" - }, - { - "field": "Microsoft.EventHub/namespaces/clusterArmId", - "exists": "true" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/clusterArmId", + "exists": "true" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] }, - { - "not": { - "field": "Microsoft.EventHub/namespaces/encryption.keySource", - "equals": "Microsoft.Keyvault" - } + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-EH-Cmk" @@ -156,9 +155,32 @@ "eventHubNamespacesCmk": { "type": "string", "defaultValue": "Deny" + }, + "eventHubDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, - "policyDefinitions": [ + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "policyDefinitionReferenceId": "Dine-Diagnostics-EH", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('eventHubLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", "policyDefinitionReferenceId": "Deny-EH-Cmk", @@ -245,7 +267,7 @@ "value": "[[parameters('eventHubAuthRules')]" } } - } + } ] } } diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index ea764f85..1cbb9e14 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -669,7 +669,9 @@ "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", "compliantDataFactoryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json')]", "compliantEventGridPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json')]", + "compliantEventGridPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignment/Compliant-EventGridPolicyAssignment.json')]", "compliantEventHubPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json')]", + "compliantEventHubPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json')]", "compliantKeyVaultPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json')]", "compliantKeyVaultPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json')]", "compliantKubernetesPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json')]", @@ -848,6 +850,8 @@ "compliantComputeAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Compute', variables('deploymentSuffix')), 64)]", "compliantDataExplorerAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADE', variables('deploymentSuffix')), 64)]", "compliantDataFactoryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ADF', variables('deploymentSuffix')), 64)]", + "compliantEventGridAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EG', variables('deploymentSuffix')), 64)]", + "compliantEventHubAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EH', variables('deploymentSuffix')), 64)]", "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", @@ -1006,6 +1010,7 @@ "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", "azureCosmosSqlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.documents.azure.com')]", "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.net')]", + "azureEventGridPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", "azureBackupPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.backup.windowsazure.com')]", "azureBackupBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", "azureBackupQueuePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", @@ -1019,11 +1024,9 @@ "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.net')]", "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.net')]", "azureAppServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurewebsites.net')]", - "azureEventGridTopicsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", "azureDiskAccessPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", "azureCognitiveServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cognitiveservices.azure.com')]", "azureIotHubsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]", - "azureEventGridDomainsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.windows.net')]", "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", "azureContainerRegistryPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.azurecr.io')]", @@ -3547,7 +3550,109 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } - }, + }, + { // Creating Policy Assignment Compliant Event Grid to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'EventGrid')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantEventGridAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantEventGridDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventGridPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "eventGridDomainPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridDomainPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + }, + "eventGridTopicPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridTopicPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + }, + "eventGridPartnerDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridPartnerLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "eventGridTopicDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridTopicLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "eventGridDomainDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridDomainLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Event Hub to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'EventHub')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantEventHubAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantEventHubDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantEventHubPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "eventHubNamespacesPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" + }, + "eventHubDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, /* The following section will optionally configure the governance for the Identity management group for the platform */ From fdd1d136afbca8318b8e2cbbc33562b0de282ae8 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 27 Feb 2023 18:19:45 +0100 Subject: [PATCH 34/56] aks + nw --- ... Compliant-EventGridPolicyAssignment.json} | 0 .../Compliant-EventHubPolicyAssignment.json | 2 +- .../Compliant-KubernetesPolicyAssignment.json | 91 +++++++++++ ...mpliant-KubernetesPolicySetDefinition.json | 150 ++++++++++-------- .../Compliant-NetworkPolicySetDefinition.json | 10 +- .../referenceImplementations/fsiPortalV2.json | 5 + .../industryArmV2.json | 48 +++++- 7 files changed, 233 insertions(+), 73 deletions(-) rename foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/{Compliant-EventGridPolicyAssignment .json => Compliant-EventGridPolicyAssignment.json} (100%) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment .json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json similarity index 100% rename from foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment .json rename to foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json index 50759151..539e74ff 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json @@ -51,7 +51,7 @@ "policyAssignmentNames": { "eh": "Compliant-Event-Hub", "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per FSI Landing Zones", - "displayName": "Enforce secure-by-default Event Grid for Financial Services Industry" + "displayName": "Enforce secure-by-default Event Hub for Financial Services Industry" } }, "resources": [ diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json new file mode 100644 index 00000000..80545e82 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json @@ -0,0 +1,91 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "aksDefender": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "type": "string", + "defaultValue": "" + }, + "aksDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAks": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Kubernetes')]" + }, + "policyAssignmentNames": { + "aks": "Compliant-Kubernetes", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Kubernetes for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').aks]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAks]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "aksDefender": { + "value": "[parameters('aksDefender')]" + }, + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "value": "[parameters('aksDefenderLogAnalyticsWorkspaceResourceId')]" + }, + "aksDiagnostics": { + "value": "[parameters('aksDiagnostics')]" + }, + "aksLogAnalyticsWorkspaceId": { + "value": "[parameters('aksLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json index 3589923b..8c7fa541 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json @@ -9,7 +9,6 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { @@ -18,45 +17,45 @@ "mode": "Indexed", "description": "Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption.", "metadata": { - "version": "1.0.0", - "category": "Kubernetes" + "version": "1.0.0", + "category": "Kubernetes" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy", - "portalReview": true - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.ContainerService/managedClusters" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "identity.type", + "notEquals": "SystemAssigned" + }, + { + "field": "Microsoft.ContainerService/managedClusters/securityProfile.azureKeyVaultKms.enabled", + "notEquals": true + } + ] }, - { - "field": "identity.type", - "notEquals": "SystemAssigned" - }, - { - "field": "Microsoft.ContainerService/managedClusters/securityProfile.azureKeyVaultKms.enabled", - "notEquals": true + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-Aks-CSI" @@ -67,41 +66,41 @@ "mode": "Indexed", "description": "Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni", "metadata": { - "version": "1.0.1", - "category": "Kubernetes" + "version": "1.0.1", + "category": "Kubernetes" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy", - "portalReview": true - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.ContainerService/managedClusters" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin", + "notEquals": "azure" + } + ] }, - { - "field": "Microsoft.ContainerService/managedClusters/networkProfile.networkPlugin", - "notEquals": "azure" + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-Aks-Cni" @@ -254,9 +253,32 @@ "aksWindowsContainerAdministrator": { "type": "string", "defaultValue": "Deny" + }, + "aksDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aksLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, - "policyDefinitions": [ + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "policyDefinitionReferenceId": "Dine-Diagnostics-Aks", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('aksDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('aksLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", "policyDefinitionReferenceId": "Deny-Aks-Windows-Conatiner-Administrator", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 0381ff2a..881a2f0a 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -14,7 +14,7 @@ { "properties": { "Description": "This policy prevents creation of subnets without a UDR attached to them.", - "DisplayName": "Prevent subnets without Route Table", + "DisplayName": "Prevent creation of subnets without Route Table", "Metadata": { "category": "Network", "version": "1.0.0" @@ -102,7 +102,7 @@ { "properties": { "Description": "This policy prevents creation of subnets without an NSG attached to them.", - "DisplayName": "Prevent subnets without NSG", + "DisplayName": "Prevent creation of subnets without NSG", "Metadata": { "category": "Network", "version": "1.0.0" @@ -141,8 +141,7 @@ "notIn": [ "GatewaySubnet", "AzureFirewallSubnet", - "AzureFirewallManagementSubnet", - "AzureBastionSubnet" + "AzureFirewallManagementSubnet" ] }, { @@ -171,8 +170,7 @@ "notIn": [ "GatewaySubnet", "AzureFirewallSubnet", - "AzureFirewallManagementSubnet", - "AzureBastionSubnet" + "AzureFirewallManagementSubnet" ] }, { diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 17bf236c..286e71db 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -635,6 +635,11 @@ "description": "Azure policies will ensure secure by-default compliance for Key Vaults, secrets, keys, and certificates, enforce access via private endpoints, purge protection, and centralized logging.", "value": "KeyVault" }, + { + "label": "Kubernetes", + "description": "Azure policies will ensure secure by-default compliance for Kubernetes (AKS), secrets, keys, and certificates, enforce access via private endpoints, centralized authorization and governance, and centralized logging.", + "value": "Kubernetes" + }, { "label": "SQL", "description": "Azure policies will ensure secure by-default compliance for SQL servers and SQL databases, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 1cbb9e14..f1d29aec 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -669,12 +669,13 @@ "compliantDataFactoryPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json')]", "compliantDataFactoryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json')]", "compliantEventGridPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json')]", - "compliantEventGridPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignment/Compliant-EventGridPolicyAssignment.json')]", + "compliantEventGridPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json')]", "compliantEventHubPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json')]", "compliantEventHubPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json')]", "compliantKeyVaultPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json')]", "compliantKeyVaultPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json')]", "compliantKubernetesPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json')]", + "compliantKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json')]", "compliantMachineLearningPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json')]", "compliantOpenAiPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json')]", "compliantServiceBusPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json')]", @@ -856,6 +857,7 @@ "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantKubernetesAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", // Telco specific policies assignment deployments @@ -3652,7 +3654,49 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } - }, + }, + { // Creating Policy Assignment Compliant Kubernetes to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Kubernetes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantKubernetesAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantKubernetesDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantKubernetesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "eventHubNamespacesPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" + }, + "eventHubDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, /* The following section will optionally configure the governance for the Identity management group for the platform */ From 66b1b4982fed537909a02674b850b02d6e671922 Mon Sep 17 00:00:00 2001 From: Marvin Buss <34542414+marvinbuss@users.noreply.github.com> Date: Mon, 27 Feb 2023 19:14:08 +0000 Subject: [PATCH 35/56] Update Cognitive Services Policies (#370) Co-authored-by: Kristian Nese --- ...t-CogitiveServicePolicySetDefinition.json} | 110 +++++++++++++++++- 1 file changed, 109 insertions(+), 1 deletion(-) rename foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/{Compliant-OpenAiPolicySetDefinition.json => Compliant-CogitiveServicePolicySetDefinition.json} (67%) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CogitiveServicePolicySetDefinition.json similarity index 67% rename from foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json rename to foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CogitiveServicePolicySetDefinition.json index 1794c8ec..76cfd416 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CogitiveServicePolicySetDefinition.json @@ -12,6 +12,114 @@ // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ + { + "properties": { + "displayName": "Outbound network access should be restricted for Cognitive Services", + "mode": "Indexed", + "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Service" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess" + }, + { + "properties": { + "displayName": "Network ACLs should be restricted for Cognitive Services", + "mode": "Indexed", + "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Service" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-CognitiveServices-NetworkAcls" + } ] } }, @@ -128,7 +236,7 @@ "value": "[[parameters('cognitiveServicesManagedIdentity')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", "policyDefinitionReferenceId": "Dine-Cognitive-Services-Private-Dns", From 8be8b346c8d00b9216f1ab277aebe9f77e99d0af Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Mon, 27 Feb 2023 21:28:55 +0100 Subject: [PATCH 36/56] nw part 1 --- ...liant-MachineLearningPolicyAssignment.json | 97 +++++++ .../Compliant-NetworkPolicyAssignment.json | 264 ++++++++++++++++++ .../Compliant-OpenAiPolicyAssignment.json | 73 +++++ ... Compliant-OpenAiPolicySetDefinition.json} | 39 ++- .../referenceImplementations/fsiPortalV2.json | 5 + .../industryArmV2.json | 162 ++++++++++- 6 files changed, 635 insertions(+), 5 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json rename foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/{Compliant-CogitiveServicePolicySetDefinition.json => Compliant-OpenAiPolicySetDefinition.json} (90%) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json new file mode 100644 index 00000000..e9ba8737 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json @@ -0,0 +1,97 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "mlDiagnostics": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "mlLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "mlPrivateDnsZone": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "mlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantMl": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Machine-Learning')]" + }, + "policyAssignmentNames": { + "ml": "Compliant-Machine-Learning", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Machine Learning for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').ml]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantMl]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "mlDiagnostics": { + "value": "[parameters('mlDiagnostics')]" + }, + "mlLogAnalyticsWorkspaceResourceId": { + "value": "[parameters('mlLogAnalyticsWorkspaceId')]" + }, + "mlPrivateDnsZone": { + "value": "[parameters('mlPrivateDnsZone')]" + }, + "mlPrivateDnsZoneId": { + "value": "[parameters('mlPrivateDnsZoneId')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[parameters('mlSecondPrivateDnsZoneId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json new file mode 100644 index 00000000..3c4c196d --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json @@ -0,0 +1,264 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify" + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "nsgDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "nsgLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "lbDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "fdDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "tmDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "vnetDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "erDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "bastionDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "bastionLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "fdCdnDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "fdCdnLogAnalyticsWorkpaceId": { + "type": "string", + "defaultValue": "" + }, + "pipDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "pipLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "gwDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "gwLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "p2sDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "p2sLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantNw": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Network')]" + }, + "policyAssignmentNames": { + "nw": "Compliant-Network", + "description": "This policy initiative is a group of policies that ensures Network and Networking Services are compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Network and Networking Services for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').nw]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantNw]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "vnetModifyDdos": { + "value": "[parameters('vnetModifyDdos')]" + }, + "ddosPlanResourceId": { + "value": "[parameters('ddosPlanResourceId')]" + }, + "nsgDiagnostics": { + "value": "[parameters('nsgDiagnostics')]" + }, + "nsgLogAnalyticsWorkspaceId": { + "value": "[parameters('nsgLogAnalyticsWorkspaceId')]" + }, + "lbDiagnostics": { + "value": "[parameters('lbDiagnostics')]" + }, + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('lbDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "fdDiagnostics": { + "value": "[parameters('fdDiagnostics')]" + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('fdDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "tmDiagnostics": { + "value": "[parameters('tmDiagnostics')]" + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('tmDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "vnetDiagnostics": { + "value": "[parameters('vnetDiagnostics')]" + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('vnetDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "erDiagnostics": { + "value": "[parameters('erDiagnostics')]" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[parameters('erDiagnosticsLogAnalyticsWorkspaceId')]" + }, + "bastionDiagnostics": { + "value": "[parameters('bastionDiagnostics')]" + }, + "bastionLogAnalyticsWorkspaceId": { + "value": "[parameters('bastionLogAnalyticsWorkspaceId')]" + }, + "fdCdnDiagnostics": { + "value": "[parameters('fdCdnDiagnostics')]" + }, + "fdCdnLogAnalyticsWorkpaceId": { + "value": "[parameters('fdCdnLogAnalyticsWorkpaceId')]" + }, + "pipDiagnostics": { + "value": "[parameters('pipDiagnostics')]" + }, + "pipLogAnalyticsWorkspaceId": { + "value": "[parameters('pipLogAnalyticsWorkspaceId')]" + }, + "gwDiagnostics": { + "value": "[parameters('gwDiagnostics')]" + }, + "gwLogAnalyticsWorkspaceId": { + "value": "[parameters('gwLogAnalyticsWorkspaceId')]" + }, + "p2sDiagnostics": { + "value": "[parameters('p2sDiagnostics')]" + }, + "p2sLogAnalyticsWorkspaceId": { + "value": "[parameters('p2sLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json new file mode 100644 index 00000000..b81a958c --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "cognitiveServicesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantOpenAi": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-OpenAi')]" + }, + "policyAssignmentNames": { + "openAI": "Compliant-OpenAi", + "description": "This policy initiative is a group of policies that ensures Open Ai (Cognitive Service) is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Open Ai (Cognitive Service) for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').openAi]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantOpenAi]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "cognitiveServicesPrivateDnsZone": { + "value": "[parameters('cognitiveServicesPrivateDnsZone')]" + }, + "cognitiveServicesPrivateDnsZoneI": { + "value": "[parameters('cognitiveServicesPrivateDnsZoneId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CogitiveServicePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json similarity index 90% rename from foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CogitiveServicePolicySetDefinition.json rename to foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json index 76cfd416..502ca972 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CogitiveServicePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json @@ -9,7 +9,6 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { @@ -19,7 +18,7 @@ "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", "metadata": { "version": "1.0.0", - "category": "Cognitive Service" + "category": "Cognitive Services" }, "parameters": { "effect": { @@ -71,7 +70,7 @@ "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", "metadata": { "version": "1.0.0", - "category": "Cognitive Service" + "category": "Cognitive Services" }, "parameters": { "effect": { @@ -152,7 +151,7 @@ "properties": { "metadata": { "version": "1.0.0", - "category": "Cognitive Service" + "category": "Cognitive Services" }, "displayName": "Enforce secure-by-default Open AI (Cognitive Service) for Financial Services Industry", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per FSI Landing Zones", @@ -222,9 +221,41 @@ "cognitiveServicesManagedIdentity": { "type": "string", "defaultValue": "Deny" + }, + "cognitiveServicesOutboundNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "cognitiveServicesNetworkAcls": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAcls')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 286e71db..83ee2d5e 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -665,6 +665,11 @@ "description": "Azure policies will ensure secure by-default compliance for Data Factory, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", "value": "DataFactory" }, + { + "label": "Machine Learning", + "description": "Azure policies will ensure secure by-default compliance for Machine Learning, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "MachineLearning" + }, { "label": "Open AI", "description": "Azure policies will ensure secure by-default compliance for Open AI, enforce access via private endpoints, centralized authorization, and centralized logging.", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index f1d29aec..cfa3490b 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -677,7 +677,11 @@ "compliantKubernetesPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-KubernetesPolicySetDefinition.json')]", "compliantKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-KubernetesPolicyAssignment.json')]", "compliantMachineLearningPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json')]", + "compliantMachineLearningPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json')]", + "compliantNetworkPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json')]", + "compliantNetworkPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json')]", "compliantOpenAiPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json')]", + "compliantOpenAiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicySetAssignment.json')]", "compliantServiceBusPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json')]", "compliantSQLPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json')]", "compliantStoragePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json')]", @@ -764,6 +768,7 @@ "compliantKeyVaultDeploymentName": "[take(concat(parameters('industry'), 'Compliant-KeyVault', variables('deploymentSuffix')), 64)]", "compliantKubernetesDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), 'Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Network', variables('deploymentSuffix')), 64)]", "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), 'Compliant-OpenAi', variables('deploymentSuffix')), 64)]", "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", "compliantSqlDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Sql', variables('deploymentSuffix')), 64)]", @@ -854,6 +859,9 @@ "compliantEventGridAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EG', variables('deploymentSuffix')), 64)]", "compliantEventHubAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EH', variables('deploymentSuffix')), 64)]", "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantOpenAiAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", @@ -1010,6 +1018,8 @@ "privateDnsPolicyParameterMapping": { "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", + "azureMlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", + "azureMlSecondaryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.notebooks.azure.net')]", "azureCosmosSqlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.documents.azure.com')]", "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.net')]", "azureEventGridPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", @@ -1501,6 +1511,30 @@ } } }, + { + // Deploying Compliant Network PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantNetworkDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantNetworkPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, { // Deploying Compliant Open Ai PolicySetDefinition "type": "Microsoft.Resources/deployments", @@ -3696,7 +3730,133 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } - }, + }, + { // Creating Policy Assignment Compliant Machine Learning to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'MachineLearning')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantMachineLearningAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantMachineLearningDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantMachineLearningPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "mlDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlLogAnalyticsWorkspaceResourceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "mlPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Network to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Networking')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantNetworkAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantNetworkDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantNetworkPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "mlDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlLogAnalyticsWorkspaceResourceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "mlPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, + { // Creating Policy Assignment Compliant Open Ai to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'OpenAI')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantOpenAiAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantOpenAiDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantOpenAiPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "cognitiveServicesPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "cognitiveServicesPrivateDnsZoneI": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, /* The following section will optionally configure the governance for the Identity management group for the platform */ From 965daa7f1372fcd513162a5a535192174357de1d Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 10:39:14 +0100 Subject: [PATCH 37/56] network orchestration --- .../industryArmV2.json | 74 +++++++++++++++++-- 1 file changed, 66 insertions(+), 8 deletions(-) diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index cfa3490b..f25b3b55 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -3799,20 +3799,78 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "mlDiagnostics": { + + "vnetModifyDdos": { + "value": "[if(equals(parameters('enableDdos'), 'Yes'), 'Modify', 'Disabled')]" + }, + "ddosPlanResourceId": { + "value": "[if(equals(parameters('enableDdos'), 'Yes'), variables('platformResourceIds').ddosProtectionResourceId, '')]" + }, + "nsgDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "mlLogAnalyticsWorkspaceResourceId": { + "nsgLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, - "mlPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "lbDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "mlPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" + "lbDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, - "mlSecondPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" + "fdDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "fdDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "tmDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "tmDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "vnetDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "vnetDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "erDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "erDiagnosticsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "bastionDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "bastionLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "fdCdnDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "fdCdnLogAnalyticsWorkpaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "pipDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "pipLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "gwDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "gwLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "p2sDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "p2sLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" From a85b17a783fd2be12ff14d0392deda314d0717fc Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 17:44:30 +0100 Subject: [PATCH 38/56] sql policySet --- .../Compliant-SQLPolicySetDefinition.json | 191 +++++++++++------- 1 file changed, 118 insertions(+), 73 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json index 8c389e83..8c866206 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json @@ -9,7 +9,6 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { @@ -18,46 +17,46 @@ "mode": "Indexed", "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", "metadata": { - "version": "1.0.0", - "category": "SQL" + "version": "1.0.0", + "category": "SQL" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Sql/servers" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "count": { + "field": "Microsoft.Sql/servers/privateEndpointConnections[*]", + "where": { + "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status", + "equals": "Approved" + } + }, + "less": 1 + } + ] }, - { - "count": { - "field": "Microsoft.Sql/servers/privateEndpointConnections[*]", - "where": { - "field": "Microsoft.Sql/servers/privateEndpointConnections[*].privateLinkServiceConnectionState.status", - "equals": "Approved" - } - }, - "less": 1 + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-Sql-Db-Public-Endpoint" @@ -68,48 +67,48 @@ "mode": "Indexed", "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "version": "1.0.1", - "category": "SQL" + "version": "1.0.1", + "category": "SQL" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Sql/managedInstances" - }, - { - "anyOf": [ - { - "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "exists": false - }, - { - "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notEquals": "1.2" - } + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": false + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notEquals": "1.2" + } + ] + } ] + }, + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-Sql-Managed-Tls-Version" @@ -228,9 +227,55 @@ "sqlManagedDefender": { "type": "string", "defaultValue": "DeployIfNotExists" + }, + "sqlDbServerDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlDbAllDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, - "policyDefinitions": [ + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "policyDefinitionReferenceId": "Dine-Diagnostics-SqlDbServerAll", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbAllDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('sqlDbAllLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ea8a143-05e3-4553-abfe-f56bef8b0b70", + "policyDefinitionReferenceId": "Dine-Diagnostics-SqlDbServer", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbServerDiagnostics')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[[parameters('sqlDbServerLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", @@ -395,7 +440,7 @@ "value": "[[parameters('modifySqlPublicNetworkAccess')]" } } - } + } ] } } From fbe6cb7e8e17495c96271f1319d3c52829dc0663 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 18:15:58 +0100 Subject: [PATCH 39/56] adding sql, service bus, and postgre sql --- .../Compliant-PostgreSQLPolicyAssignment.json | 74 +++++ .../Compliant-SQLPolicyAssignment.json | 121 ++++++++ .../Compliant-ServiceBusPolicyAssignment.json | 92 ++++++ ...mpliant-PostgreSQLPolicySetDefinition.json | 288 ++++++++++++++++-- .../referenceImplementations/fsiPortalV2.json | 5 + .../industryArmV2.json | 165 +++++++++- 6 files changed, 711 insertions(+), 34 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json new file mode 100644 index 00000000..a44edc29 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "postgreDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "postgreLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantPostgre": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-PostgreSQL')]" + }, + "policyAssignmentNames": { + "postgre": "Compliant-PostgreSQL", + "description": "This policy initiative is a group of policies that ensures Postgre SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Postgre SQL for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').postgre]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantPostgre]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "postgreDiagnostics": { + "value": "[parameters('postgreDiagnostics')]" + }, + "postgreLogAnalyticsWorkspaceId": { + "value": "[parameters('postgreLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json new file mode 100644 index 00000000..1e44d7a2 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json @@ -0,0 +1,121 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "sqlServerDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbServerDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlDbAllDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSql": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Sql')]" + }, + "policyAssignmentNames": { + "sql": "Compliant-Sql", + "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default SQL for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').sql]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "sqlServerDiagnosticseDinePrivateDnsZone": { + "value": "[parameters('sqlServerDiagnostics')]" + }, + "sqlServerLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlServerLogAnalyticsWorkspaceId')]" + }, + "sqlManagedDefender": { + "value": "[parameters('sqlManagedDefender')]" + }, + "sqlDbServerDiagnostics": { + "value": "[parameters('sqlDbServerDiagnostics')]" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlDbServerLogAnalyticsWorkspaceId')]" + }, + "sqlDbAllDiagnostics": { + "value": "[parameters('sqlDbAllDiagnostics')]" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlDbAllLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json new file mode 100644 index 00000000..644d15ad --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json @@ -0,0 +1,92 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "ServiceBusLogAnalyticsWorkspaceId": { + "type": "String", + "defaultValue": "" + }, + "serviceBusDinePrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "serviceBusPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSb": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Service-Bus')]" + }, + "policyAssignmentNames": { + "sb": "Compliant-Service-Bus", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Service Bus for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').sb]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSb]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "serviceBusDinePrivateDnsZone": { + "value": "[parameters('serviceBusDinePrivateDnsZone')]" + }, + "serviceBusPrivateDnsZoneId": { + "value": "[parameters('serviceBusPrivateDnsZoneId')]" + }, + "ServiceBusLogAnalyticsEffect": { + "value": "[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "ServiceBusLogAnalyticsWorkspaceId": { + "value": "[parameters('ServiceBusLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json index dece9908..343c8f36 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json @@ -17,47 +17,252 @@ "mode": "Indexed", "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.1", - "category": "PostgreSQL" + "version": "1.0.0", + "category": "PostgreSQL" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Deny", - "Audit", - "Disabled" + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" ], - "defaultValue": "Audit" - } + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.DBforPostgreSQL/servers" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "true" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-PostgreSql-SSL-Connection" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL (server and flexible server) to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL (server and flexible) to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "2.0.0", + "category": "PostgreSQL" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } }, - { - "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", - "exists": "true" + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } }, - { - "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", - "notEquals": "Enabled" + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } } - ] }, - "then": { - "effect": "[[parameters('effect')]" - } + "policyRule": { + "if": { + "anyOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "resourceType": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "condition": "[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]", + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + }, + { + "condition": "[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]", + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "resourceType": { + "value": "[[field('type')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } } }, - "name": "Deny-PostgreSql-SSL-Connection" + "name": "Dine-Diagnostics-PostgreSQL" } ] } @@ -137,6 +342,14 @@ "postgreSqlAdvThreatProtection": { "type": "string", "defaultValue": "DeployIfNotExists" + }, + "postgreDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "postgreLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ @@ -165,6 +378,21 @@ } } }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-Postgre", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('postgreDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('postgreLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 83ee2d5e..3b51cf3f 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -640,6 +640,11 @@ "description": "Azure policies will ensure secure by-default compliance for Kubernetes (AKS), secrets, keys, and certificates, enforce access via private endpoints, centralized authorization and governance, and centralized logging.", "value": "Kubernetes" }, + { + "label": "Postgre SQL", + "description": "Azure policies will ensure secure by-default compliance for Postgre SQL, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", + "value": "PostgreSql" + }, { "label": "SQL", "description": "Azure policies will ensure secure by-default compliance for SQL servers and SQL databases, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index f25b3b55..aa86d333 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -682,8 +682,12 @@ "compliantNetworkPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json')]", "compliantOpenAiPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json')]", "compliantOpenAiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicySetAssignment.json')]", + "compliantPostgrePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json')]", + "compliantPostgrePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json')]", "compliantServiceBusPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json')]", + "compliantServiceBusPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json')]", "compliantSQLPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json')]", + "compliantSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json')]", "compliantStoragePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json')]", "compliantSynapsePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json')]", "dataPolicyDefinitions": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/dataPolicies.json')]", @@ -770,6 +774,7 @@ "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), 'Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", "compliantNetworkDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Network', variables('deploymentSuffix')), 64)]", "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), 'Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Postgre', variables('deploymentSuffix')), 64)]", "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", "compliantSqlDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Sql', variables('deploymentSuffix')), 64)]", "compliantStorageDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Storage', variables('deploymentSuffix')), 64)]", @@ -860,11 +865,14 @@ "compliantEventHubAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-EH', variables('deploymentSuffix')), 64)]", "compliantKeyVaultAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", "compliantOpenAiAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Postgre', variables('deploymentSuffix')), 64)]", + "compliantSqlAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-SQL', variables('deploymentSuffix')), 64)]", "compliantMachineLearningAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", "compliantNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", "compliantContainerInstanceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantServiceBusAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", "compliantKubernetesAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", @@ -1559,6 +1567,30 @@ } } }, + { + // Deploying Compliant Postgre SQL PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantPostgreDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantPostgrePolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, { // Deploying Compliant Service Bus PolicySetDefinition "type": "Microsoft.Resources/deployments", @@ -3798,8 +3830,7 @@ "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" - }, - + }, "vnetModifyDdos": { "value": "[if(equals(parameters('enableDdos'), 'Yes'), 'Modify', 'Disabled')]" }, @@ -3870,7 +3901,7 @@ "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, "p2sLogAnalyticsWorkspaceId": { - "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" @@ -3914,7 +3945,133 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } - }, + }, + { // Creating Policy Assignment Compliant Postgre SQL to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'PostgreSql')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantPostgreAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantPostgreDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantPostgrePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "postgreDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "postgreLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment Compliant Service Bus to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'ServiceBus')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantServiceBusAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantServiceBusDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantServiceBusPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "serviceBusDinePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "serviceBusPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" + }, + "ServiceBusLogAnalyticsEffect": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "ServiceBusLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, + { // Creating Policy Assignment Compliant Service Bus to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Sql')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantSqlAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantSqlDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSqlPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "sqlServerDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlServerLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "sqlManagedDefender": { + "value": "[if(equals(parameters('enableAscForSql'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlDbServerDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "sqlDbAllDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, /* The following section will optionally configure the governance for the Identity management group for the platform */ From 7efe0c25eec65f7c1425767a7fb1c9aec6948d01 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 21:02:55 +0100 Subject: [PATCH 40/56] adding sql assignment + storage def and assignment --- .../Compliant-SQLPolicyAssignment.json | 2 +- .../Compliant-StoragePolicyAssignment.json | 354 ++++++++++++++++++ .../Compliant-StoragePolicySetDefinition.json | 221 ++++++++++- .../industryArmV2.json | 157 +++++++- 4 files changed, 722 insertions(+), 12 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json index 1e44d7a2..b8ec96d7 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json @@ -92,7 +92,7 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "sqlServerDiagnosticseDinePrivateDnsZone": { + "sqlServerDiagnostics": { "value": "[parameters('sqlServerDiagnostics')]" }, "sqlServerLogAnalyticsWorkspaceId": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json new file mode 100644 index 00000000..2f921696 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json @@ -0,0 +1,354 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "storageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageTablePrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageSecondaryTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryTablePrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageFileSyncPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageFileSyncPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageFileSyncDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageFileSyncLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageTableDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageTableLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageAccountsDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageAccountsLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageFileDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageFileDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageSecondaryBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageWebPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryWebPrivateDnsZone": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageSecondaryWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueueDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "storageQueueLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSql": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Sql')]" + }, + "policyAssignmentNames": { + "sql": "Compliant-Sql", + "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default SQL for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').sql]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "storageTablePrivateDnsZone": { + "value": "[parameters('storageTablePrivateDnsZone')]" + }, + "storageTablePrivateDnsZoneId": { + "value": "[parameters('storageTablePrivateDnsZoneId')]" + }, + "storageSecondaryTablePrivateDnsZone": { + "value": "[parameters('storageSecondaryTablePrivateDnsZone')]" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "value": "[parameters('storageSecondaryTablePrivateDnsZoneId')]" + }, + "storageFileSyncPrivateDnsZone": { + "value": "[parameters('storageFileSyncPrivateDnsZone')]" + }, + "storageFileSyncPrivateDnsZoneId": { + "value": "[parameters('storageFileSyncPrivateDnsZoneId')]" + }, + "storageFileSyncDiagnostics": { + "value": "[parameters('storageFileSyncDiagnostics')]" + }, + "storageFileSyncLogAnalyticsWorkspaceId": { + "value": "[parameters('storageFileSyncLogAnalyticsWorkspaceId')]" + }, + "storageTableDiagnostics": { + "value": "[parameters('storageTableDiagnostics')]" + }, + "storageTableLogAnalyticsWorkspaceId": { + "value": "[parameters('storageTableLogAnalyticsWorkspaceId')]" + }, + "storageAccountsDiagnostics": { + "value": "[parameters('storageAccountsDiagnostics')]" + }, + "storageAccountsLogAnalyticsWorkspaceId": { + "value": "[parameters('storageAccountsLogAnalyticsWorkspaceId')]" + }, + "storageFileDnsZone": { + "value": "[parameters('storageFileDnsZone')]" + }, + "storageFileDnsZoneId": { + "value": "[parameters('storageFileDnsZoneId')]" + }, + "storageBlobPrivateDnsZone": { + "value": "[parameters('storageBlobPrivateDnsZone')]" + }, + "storageBlobPrivateDnsZoneId": { + "value": "[parameters('storageBlobPrivateDnsZoneId')]" + }, + "storageSecondaryBlobPrivateDnsZone": { + "value": "[parameters('storageSecondaryBlobPrivateDnsZone')]" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryBlobPrivateDnsZoneId')]" + }, + "storageDfsPrivateDnsZone": { + "value": "[parameters('storageDfsPrivateDnsZone')]" + }, + "storageDfsPrivateDnsZoneId": { + "value": "[parameters('storageDfsPrivateDnsZoneId')]" + }, + "storageSecondaryDfsPrivateDnsZone": { + "value": "[parameters('storageSecondaryDfsPrivateDnsZone')]" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryDfsPrivateDnsZoneId')]" + }, + "storageQueuePrivateDnsZone": { + "value": "[parameters('storageQueuePrivateDnsZone')]" + }, + "storageQueuePrivateDnsZoneId": { + "value": "[parameters('storageQueuePrivateDnsZoneId')]" + }, + "storageSecondaryQueuePrivateDnsZone": { + "value": "[parameters('storageSecondaryQueuePrivateDnsZone')]" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "value": "[parameters('storageSecondaryQueuePrivateDnsZoneId')]" + }, + "storageWebPrivateDnsZone": { + "value": "[parameters('storageWebPrivateDnsZone')]" + }, + "storageWebPrivateDnsZoneId": { + "value": "[parameters('storageWebPrivateDnsZoneId')]" + }, + "storageSecondaryWebPrivateDnsZone": { + "value": "[parameters('storageSecondaryWebPrivateDnsZone')]" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryWebPrivateDnsZoneId')]" + }, + "storageQueueDiagnostics": { + "value": "[parameters('storageQueueDiagnostics')]" + }, + "storageQueueLogAnalyticsWorkspaceId": { + "value": "[parameters('storageQueueLogAnalyticsWorkspaceId')]" + }, + "storageBlobDiagnostics": { + "value": "[parameters('storageBlobDiagnostics')]" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "value": "[parameters('storageBlobLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json index 82593c3e..4edea1b2 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json @@ -120,11 +120,19 @@ } ], "parameters": { - "storagePrivateDnsZoneId": { + "storageTablePrivateDnsZoneId": { "type": "string", "defaultValue": "" }, - "storagePrivateDnsZone": { + "storageTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryTablePrivateDnsZone": { "type": "string", "defaultValue": "DeployIfNotExists" }, @@ -224,6 +232,62 @@ "type": "string", "defaultValue": "DeployIfNotExists" }, + "storageSecondaryBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, "storageQueueDiagnostics": { "type": "string", "defaultValue": "DeployIfNotExists" @@ -275,9 +339,32 @@ "storageAccountsEncryptionCmk": { "type": "string", "defaultValue": "Deny" + }, + "storageBlobDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb", + "policyDefinitionReferenceId": "Dine-Diagnostics-Storage-blob", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageBlobDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('storageBlobLogAnalyticsWorkspaceId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", @@ -442,7 +529,112 @@ "value": "[[parameters('storageBlobPrivateDnsZoneId')]" } } - }, + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryBlob-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryBlobPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryBlobPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "policyDefinitionReferenceId": "Dine-Storage-Dfs-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageDfsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageDfsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryDfs-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryDfsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryDfsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "policyDefinitionReferenceId": "Dine-Storage-Queue-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageQueuePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageQueuePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryQueue-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryQueuePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryQueuePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "policyDefinitionReferenceId": "Dine-Storage-Web-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageWebPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageWebPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryWeb-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryWebPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryWebPrivateDnsZoneId')]" + } + } + }, { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Deny-Storage-Cmk')]", "policyDefinitionReferenceId": "Deny-Storage-Cmk", @@ -613,7 +805,7 @@ }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", - "policyDefinitionReferenceId": "Modify-Api-Storage-Account-PublicEndpoint", + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", "groupNames": [ "Network" ], @@ -637,16 +829,31 @@ }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", - "policyDefinitionReferenceId": "Dine-Storage-Account-Private-Dns", + "policyDefinitionReferenceId": "Dine-Table-Storage-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageTablePrivateDnsZone')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "policyDefinitionReferenceId": "Dine-SecondaryTable-Storage-Private-Dns", "groupNames": [ "Network" ], "parameters": { "privateDnsZoneId": { - "value": "[[parameters('storagePrivateDnsZoneId')]" + "value": "[[parameters('storageSecondaryTablePrivateDnsZoneId')]" }, "effect": { - "value": "[[parameters('storagePrivateDnsZone')]" + "value": "[[parameters('storageSecondaryTablePrivateDnsZone')]" } } }, diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index aa86d333..ebd73ccb 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -689,6 +689,7 @@ "compliantSQLPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SQLPolicySetDefinition.json')]", "compliantSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-SQLPolicyAssignment.json')]", "compliantStoragePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json')]", + "compliantStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json')]", "compliantSynapsePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json')]", "dataPolicyDefinitions": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/dataPolicies.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/hubspoke-connectivity.json')]", @@ -874,6 +875,7 @@ "compliantContainerRegistryAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", "compliantServiceBusAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", "compliantKubernetesAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantStorageAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Storage', variables('deploymentSuffix')), 64)]", "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", // Telco specific policies assignment deployments @@ -1053,7 +1055,21 @@ "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", - "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]" + "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]", + "azureStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureSecondaryStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureStorageTablePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.table.core.windows.net')]", + "azureSecondaryStorageTablePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.table.core.windows.net')]", + "azureStorageQueuePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", + "azureSecondaryStorageQueuePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]", + "azureStorageFilePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.file.core.windows.net')]", + "azureSecondaryStorageFilePrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.file.core.windows.net')]", + "azureStorageWebPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.web.core.windows.net')]", + "azureSecondaryStorageWebPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.web.core.windows.net')]", + "azureStorageDfsPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]", + "azureSecondaryStorageDfsPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]", + "azureStorageFileSyncPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.afs.azure.net')]" + }, "roleDefinitions": { "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7", @@ -3035,7 +3051,8 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion" + "policyCompletion", + "dnsZones" ], "properties": { "mode": "Incremental", @@ -4022,7 +4039,7 @@ } } }, - { // Creating Policy Assignment Compliant Service Bus to Landing Zone scope + { // Creating Policy Assignment Compliant Sql to Landing Zone scope "condition": "[contains(parameters('compliantAzureServices'), 'Sql')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", @@ -4071,7 +4088,139 @@ } } } - }, + }, + { // Creating Policy Assignment Compliant Storage to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Storage')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantStorageAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantStorageDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantStoragePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "storageTablePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageTablePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageTablePrivateDnsZoneId, '')]" + }, + "storageSecondaryTablePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageTablePrivateDnsZoneId, '')]" + }, + "storageFileSyncPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileSyncPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFileSyncPrivateDnsZoneId, '')]" + }, + "storageFileSyncDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileSyncLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageTableDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageTableLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageAccountsDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageAccountsLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageFileDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFilePrivateDnsZoneId, '')]" + }, + "storageBlobPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageBlobPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageBlobPrivateDnsZoneId, '')]" + }, + "storageSecondaryBlobPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageBlobPrivateDnsZoneId, '')]" + }, + "storageDfsPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageDfsPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageDfsPrivateDnsZoneId, '')]" + }, + "storageSecondaryDfsPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageDfsPrivateDnsZoneId, '')]" + }, + "storageQueuePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageQueuePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageQueuePrivateDnsZoneId, '')]" + }, + "storageSecondaryQueuePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageQueuePrivateDnsZoneId, '')]" + }, + "storageWebPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageWebPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageWebPrivateDnsZoneId, '')]" + }, + "storageSecondaryWebPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageWebPrivateDnsZoneId, '')]" + }, + "storageQueueDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageQueueLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "storageBlobDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageBlobLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, /* The following section will optionally configure the governance for the Identity management group for the platform */ From 3fb32a76c72e1ab67453c9b3a7ea5f8bc77501c5 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 21:27:00 +0100 Subject: [PATCH 41/56] updating condition --- foundations/azure/referenceImplementations/fsiPortalV2.json | 2 +- foundations/azure/referenceImplementations/industryArmV2.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 3b51cf3f..daacb3ad 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -708,7 +708,7 @@ { "label": "Storage Account", "description": "Azure policies will ensure secure by-default compliance for Storage Accounts, such as enforcement of strong protocols, encryption, access via private endpoint, centralized authorization using Azure AD, and centralized logging.", - "value": "StorageAccounts" + "value": "StorageAccount" }, { "label": "Virtual Machine", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index ebd73ccb..6c67c026 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -4090,7 +4090,7 @@ } }, { // Creating Policy Assignment Compliant Storage to Landing Zone scope - "condition": "[contains(parameters('compliantAzureServices'), 'Storage')]", + "condition": "[contains(parameters('compliantAzureServices'), 'StorageAccount')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", From 8ca9178f12c4f6582797622b09700a882ec0eef1 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 22:04:33 +0100 Subject: [PATCH 42/56] lenght --- ...liant-MachineLearningPolicyAssignment.json | 2 +- .../referenceImplementations/fsiPortalV2.json | 4 +++- .../industryArmV2.json | 20 +++++++++---------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json index e9ba8737..5a145183 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json @@ -51,7 +51,7 @@ "compliantMl": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Machine-Learning')]" }, "policyAssignmentNames": { - "ml": "Compliant-Machine-Learning", + "ml": "Compliant-ML", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per FSI Landing Zones", "displayName": "Enforce secure-by-default Machine Learning for Financial Services Industry" } diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index daacb3ad..5adefc8c 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -570,8 +570,10 @@ "Data Explorer", "Data Factory", "Key Vault", + "Kubernetes", "SQL", - "Service Bus", + "Service Bus", + "Postgre SQL", "Open AI", "Event Grid", "Event Hub", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 6c67c026..e1f2ba03 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -598,7 +598,7 @@ } }, "variables": { - // Declaring the prescriptive management group structure that will be used in the scope construction + // Declaring the prescriptive structure for FSI Landing Zones "mgmtGroups": { "industryRoot": "[parameters('industryPrefix')]", "platform": "[concat(parameters('industryPrefix'), '-', 'platform')]", @@ -610,7 +610,7 @@ "corp": "[concat(parameters('industryPrefix'), '-', 'corp')]", "online": "[concat(parameters('industryPrefix'), '-', 'cloud-native')]" }, - // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc. + // Declaring scopes that will be used for ARM deployments "scopes": { "industryRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').industryRoot)]", "platformManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').platform)]", @@ -622,7 +622,7 @@ "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" }, - // Declaring all required deployment uri's used for deployments of composite ARM templates for FSI + // Declaring all required deployment uri's used for deployments of composite ARM templates for FSI. As you can see, it's been quite an effort :-) "azPrivateDnsPolicyMapping": { "https://management.azure.com/": "core/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json", "https://management.usgovcloudapi.net": "core/managementGroupTemplates/policyDefinitions/gov/fairfaxDINE-PrivateDNSZonesPolicySetDefinition.json" @@ -3761,16 +3761,16 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "eventHubNamespacesPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "aksDefender": { + "value": "[if(equals(parameters('enableAscForContainers'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "eventHubNamespacesPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" + "aksDefenderLogAnalyticsWorkspaceResourceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, - "eventHubDiagnostics": { + "aksDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "eventHubLogAnalyticsWorkspaceId": { + "aksLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, "userAssignedIdentityResourceId": { @@ -3806,7 +3806,7 @@ "mlDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "mlLogAnalyticsWorkspaceResourceId": { + "mlLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, "mlPrivateDnsZone": { From 5d7c8cad1dc597fc09054f978adc83e45d5601d0 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Tue, 28 Feb 2023 22:30:20 +0100 Subject: [PATCH 43/56] correcting params --- .../Compliant-MachineLearningPolicyAssignment.json | 2 +- .../Compliant-StoragePolicyAssignment.json | 12 ++++++------ .../Compliant-StoragePolicySetDefinition.json | 2 +- .../azure/referenceImplementations/fsiPortalV2.json | 3 ++- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json index 5a145183..4140a758 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json @@ -77,7 +77,7 @@ "mlDiagnostics": { "value": "[parameters('mlDiagnostics')]" }, - "mlLogAnalyticsWorkspaceResourceId": { + "mlLogAnalyticsWorkspaceId": { "value": "[parameters('mlLogAnalyticsWorkspaceId')]" }, "mlPrivateDnsZone": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json index 2f921696..4fcbcd15 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json @@ -218,19 +218,19 @@ }, "variables": { "policyDefinitions": { - "compliantSql": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Sql')]" + "compliantStorage": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Storage')]" }, "policyAssignmentNames": { - "sql": "Compliant-Sql", - "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", - "displayName": "Enforce secure-by-default SQL for Financial Services Industry" + "storage": "Compliant-Storage", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Storage for Financial Services Industry" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", - "name": "[variables('policyAssignmentNames').sql]", + "name": "[variables('policyAssignmentNames').storage]", "location": "[deployment().location]", "identity": { "type": "UserAssigned", @@ -241,7 +241,7 @@ "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", + "policyDefinitionId": "[variables('policyDefinitions').compliantStorage]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "storageTablePrivateDnsZone": { diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json index 4edea1b2..e6bc0495 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json @@ -82,7 +82,7 @@ { "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", - "name": "Compliant-Storage-Account", + "name": "Compliant-Storage", "dependsOn": [ "policyDefinitionCopy" ], diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 5adefc8c..e0dd77e9 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -581,7 +581,8 @@ "Stream Analytics", "Networking", "Storage Account", - "Virtual Machine" + "Virtual Machine", + "Machine Learning" ], "toolTip": "", "multiselect": true, From 569a136f582828975f076e8f6d367ae494952e94 Mon Sep 17 00:00:00 2001 From: Uday Pandya <14359777+uday31in@users.noreply.github.com> Date: Wed, 1 Mar 2023 09:24:50 +0000 Subject: [PATCH 44/56] Network Policies (#374) * Network Policies * Removing duplicate assignments --------- Co-authored-by: Kristian Nese --- .../Compliant-NetworkPolicySetDefinition.json | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index 881a2f0a..aee16e46 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -1593,9 +1593,137 @@ "p2sLogCategories": { "type": "string", "defaultValue": "allLogs" + }, + "effectAfwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny" + }, + "effectAfwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny" + }, + "effectAfwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny" + }, + "effectAfwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny" + }, + "effectAfwEnableIDPS": { + "type": "string", + "defaultValue": "Deny" + }, + "effectWafAfdEnabled": { + "type": "string", + "defaultValue": "Deny" + }, + "effectVpnAzureAD": { + "type": "string", + "defaultValue": "Deny" + }, + "effectNetworkSecurityGroupOnGatewaySubnet": { + "type": "string", + "defaultValue": "Deny" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "35f9c03a-cc27-418e-9c0c-539ff999d010", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectNetworkSecurityGroupOnGatewaySubnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectVpnAzureAD')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectWafAfdEnabled')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "6484db87-a62d-4327-9f07-80a2cbdf333a", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectAfwEnableIDPS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectAfwEnableAllIDPSSignatureRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "f516dc7a-4543-4d40-aad6-98f76a706b50", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectAfwEmptyIDPSBypassList')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "711c24bb-7f18-4578-b192-81a6161e1f17", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectAfwEnableTlsInspection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "a58ac66d-92cb-409c-94b8-8e48d7a96596", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('effectAfwEnbaleTlsForAllAppRules')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cac9e1c5-c3cb-47fa-8d4c-88b8559262d2", "policyDefinitionReferenceId": "Dine-Diagnostics-P2S", From 7e96b4f192f3003d8744192ccbaa1926c64259d1 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 10:31:10 +0100 Subject: [PATCH 45/56] adding synapse --- .../Compliant-SynapsePolicyAssignment.json | 121 ++++++++++++++++++ .../Compliant-NetworkPolicySetDefinition.json | 54 ++++---- .../Compliant-SynapsePolicySetDefinition.json | 114 +++++++++++------ .../referenceImplementations/fsiPortalV2.json | 54 ++++---- .../industryArmV2.json | 52 ++++++++ 5 files changed, 302 insertions(+), 93 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json new file mode 100644 index 00000000..b8ec96d7 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json @@ -0,0 +1,121 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "sqlServerDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbServerDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "sqlDbAllDiagnostics": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ] + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantSql": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Sql')]" + }, + "policyAssignmentNames": { + "sql": "Compliant-Sql", + "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default SQL for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').sql]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "sqlServerDiagnostics": { + "value": "[parameters('sqlServerDiagnostics')]" + }, + "sqlServerLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlServerLogAnalyticsWorkspaceId')]" + }, + "sqlManagedDefender": { + "value": "[parameters('sqlManagedDefender')]" + }, + "sqlDbServerDiagnostics": { + "value": "[parameters('sqlDbServerDiagnostics')]" + }, + "sqlDbServerLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlDbServerLogAnalyticsWorkspaceId')]" + }, + "sqlDbAllDiagnostics": { + "value": "[parameters('sqlDbAllDiagnostics')]" + }, + "sqlDbAllLogAnalyticsWorkspaceId": { + "value": "[parameters('sqlDbAllLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json index aee16e46..b8a9cb25 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json @@ -1594,35 +1594,31 @@ "type": "string", "defaultValue": "allLogs" }, - "effectAfwEnbaleTlsForAllAppRules": { + "afwEnbaleTlsForAllAppRules": { "type": "string", "defaultValue": "Deny" }, - "effectAfwEnableTlsInspection": { + "afwEnableTlsInspection": { "type": "string", "defaultValue": "Deny" }, - "effectAfwEmptyIDPSBypassList": { + "afwEmptyIDPSBypassList": { "type": "string", "defaultValue": "Deny" }, - "effectAfwEnableAllIDPSSignatureRules": { + "afwEnableAllIDPSSignatureRules": { "type": "string", "defaultValue": "Deny" }, - "effectAfwEnableIDPS": { + "afwEnableIDPS": { "type": "string", "defaultValue": "Deny" }, - "effectWafAfdEnabled": { + "wafAfdEnabled": { "type": "string", "defaultValue": "Deny" }, - "effectVpnAzureAD": { - "type": "string", - "defaultValue": "Deny" - }, - "effectNetworkSecurityGroupOnGatewaySubnet": { + "vpnAzureAD": { "type": "string", "defaultValue": "Deny" } @@ -1630,97 +1626,93 @@ "policyDefinitions": [ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", - "policyDefinitionReferenceId": "35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", "groupNames": [ "Network" ], - "parameters": { - "effect": { - "value": "[[parameters('effectNetworkSecurityGroupOnGatewaySubnet')]" - } - } + "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", - "policyDefinitionReferenceId": "21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectVpnAzureAD')]" + "value": "[[parameters('vpnAzureAD')]" } } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", - "policyDefinitionReferenceId": "055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectWafAfdEnabled')]" + "value": "[[parameters('wafAfdEnabled')]" } } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", - "policyDefinitionReferenceId": "6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "Deny-Waf-IDPS", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectAfwEnableIDPS')]" + "value": "[[parameters('afwEnableIDPS')]" } } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", - "policyDefinitionReferenceId": "610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectAfwEnableAllIDPSSignatureRules')]" + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" } } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", - "policyDefinitionReferenceId": "f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectAfwEmptyIDPSBypassList')]" + "value": "[[parameters('afwEmptyIDPSBypassList')]" } } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", - "policyDefinitionReferenceId": "711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectAfwEnableTlsInspection')]" + "value": "[[parameters('afwEnableTlsInspection')]" } } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", - "policyDefinitionReferenceId": "a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", "groupNames": [ "Network" ], "parameters": { "effect": { - "value": "[[parameters('effectAfwEnbaleTlsForAllAppRules')]" + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" } } }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json index c069d112..b9189dfe 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json @@ -9,52 +9,51 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { "properties": { - "displayName": "IP firewall rules on Azure Synapse workspaces should be removed", - "mode": "All", - "description": "Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace.", - "metadata": { - "version": "1.0.0", - "category": "Synapse" - }, - "parameters": { - "effect": { - "type": "String", + "displayName": "IP firewall rules on Azure Synapse workspaces should be removed", + "mode": "All", + "description": "Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace.", "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" + "version": "1.0.0", + "category": "Synapse" }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Synapse/workspaces/firewallrules" + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, - { - "field": "name", - "exists": "true" + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Synapse/workspaces/firewallrules" + }, + { + "field": "name", + "exists": "true" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } } - ] }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-Synapse-Fw-Rules" + "name": "Deny-Synapse-Fw-Rules" } ] } @@ -182,9 +181,48 @@ "synapseCmk": { "type": "string", "defaultValue": "Deny" + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapseDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapseLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32ba8d30-07c0-4136-ab18-9a11bf4a67b7", + "policyDefinitionReferenceId": "Dine-Synapse-Diagnostics", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseDiagnostics')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[[parameters('synapseLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapseDefender')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", "policyDefinitionReferenceId": "Deny-Synapse-Cmk", @@ -196,7 +234,7 @@ "value": "[[parameters('synapseCmk')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index e0dd77e9..9b6c1ef1 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -562,7 +562,7 @@ "App Service", "Automation", "Backup", - "Compute", + "Compute", "Container Apps", "Container Instance", "Container Registry", @@ -573,7 +573,7 @@ "Kubernetes", "SQL", "Service Bus", - "Postgre SQL", + "Postgre SQL", "Open AI", "Event Grid", "Event Hub", @@ -581,6 +581,7 @@ "Stream Analytics", "Networking", "Storage Account", + "Synapse", "Virtual Machine", "Machine Learning" ], @@ -658,6 +659,11 @@ "description": "Azure policies will ensure secure by-default compliance for Service Bus, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", "value": "ServiceBus" }, + { + "label": "Synapse", + "description": "Azure policies will ensure secure by-default compliance for Synapse, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "Synapse" + }, { "label": "Cosmos DB", "description": "Azure policies will ensure secure by-default compliance for Cosmos DB, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", @@ -1953,7 +1959,7 @@ ] } }, - { + { "name": "esAddressFw", "type": "Microsoft.Common.TextBox", "label": "Subnet for Azure Firewall", @@ -1986,7 +1992,7 @@ ] } }, - { + { "name": "esDedicatedInboundSub", "type": "Microsoft.Common.OptionsGroup", "label": "Use a dedicated subscription for Internet ingress", @@ -2006,7 +2012,7 @@ ] } }, - { + { "name": "esNwAdditionalSubSectionIngress", "type": "Microsoft.Common.Section", "label": "Internet ingress subscription", @@ -2036,7 +2042,7 @@ ] } }, - { + { "name": "esAzFwIngress", "type": "Microsoft.Common.OptionsGroup", "label": "Deploy Azure Firewall", @@ -2056,7 +2062,7 @@ ] } }, - { + { "name": "esAddressFwIngress", "type": "Microsoft.Common.TextBox", "label": "Subnet for Azure Firewall for ingress", @@ -2089,7 +2095,7 @@ ] } }, - { + { "name": "esAzFwSkuIngress", "type": "Microsoft.Common.DropDown", "label": "Select Azure Firewall tier", @@ -2142,7 +2148,7 @@ ] } }, - { + { "name": "esDedicatedOutboundSub", "type": "Microsoft.Common.OptionsGroup", "label": "Use s dedicated subscription for Internet egress", @@ -2162,7 +2168,7 @@ ] } }, - { + { "name": "esNwAdditionalSubSectionEgress", "type": "Microsoft.Common.Section", "label": "Internet egress subscription", @@ -2192,7 +2198,7 @@ ] } }, - { + { "name": "esAzFwEgress", "type": "Microsoft.Common.OptionsGroup", "label": "Deploy Azure Firewall", @@ -2212,7 +2218,7 @@ ] } }, - { + { "name": "esAddressFwEgress", "type": "Microsoft.Common.TextBox", "label": "Subnet for Azure Firewall for ingress", @@ -2245,7 +2251,7 @@ ] } }, - { + { "name": "esAzFwSkuEgress", "type": "Microsoft.Common.DropDown", "label": "Select Azure Firewall tier", @@ -3031,18 +3037,18 @@ "enablePrivateDnsResolver": "[steps('esConnectivityGoalState').esPrivateDnsResolver]", "subnetMaskForDnsResolverInbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverInbound]", "subnetMaskForDnsResolverOutbound": "[steps('esConnectivityGoalState').subnetMaskPrivateDnsResolverOutbound]", - "ingressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionIngress.esNwIngress.subscriptionId]", - "egressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionEgress.esNwEgress.subscriptionId]", - "addressPrefixIngress": "[steps('esConnectivityGoalState').esAddressIngress]", - "addressPrefixEgress": "[steps('esConnectivityGoalState').esAddressEgress]", - "enableAzFwIngress": "[steps('esConnectivityGoalState').esAzFwIngress]", - "enableAzFwEgress": "[steps('esConnectivityGoalState').esAzFwEgress]", - "subnetMaskForAzFwIngress": "[steps('esConnectivityGoalState').esAddressFwIngress]", - "subnetMaskForAzFwEgress": "[steps('esConnectivityGoalState').esAddressFwEgress]", - "firewallSkuIngress": "[steps('esConnectivityGoalState').esAzFwSkuIngress]", - "firewallSkuEgress": "[steps('esConnectivityGoalState').esAzFwSkuEgress]", + "ingressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionIngress.esNwIngress.subscriptionId]", + "egressSubscriptionId": "[steps('esConnectivityGoalState').esNwAdditionalSubSectionEgress.esNwEgress.subscriptionId]", + "addressPrefixIngress": "[steps('esConnectivityGoalState').esAddressIngress]", + "addressPrefixEgress": "[steps('esConnectivityGoalState').esAddressEgress]", + "enableAzFwIngress": "[steps('esConnectivityGoalState').esAzFwIngress]", + "enableAzFwEgress": "[steps('esConnectivityGoalState').esAzFwEgress]", + "subnetMaskForAzFwIngress": "[steps('esConnectivityGoalState').esAddressFwIngress]", + "subnetMaskForAzFwEgress": "[steps('esConnectivityGoalState').esAddressFwEgress]", + "firewallSkuIngress": "[steps('esConnectivityGoalState').esAzFwSkuIngress]", + "firewallSkuEgress": "[steps('esConnectivityGoalState').esAzFwSkuEgress]", "firewallZonesIngress": "[steps('esConnectivityGoalState').esFwAzIngress]", - "firewallZonesEgress": "[steps('esConnectivityGoalState').esFwAzEgress]", + "firewallZonesEgress": "[steps('esConnectivityGoalState').esFwAzEgress]", "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').corpLz.esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').corpLz.lzConnectedSubs,'')]" }, "kind": "Tenant", diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index e1f2ba03..836f3bdb 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -691,6 +691,7 @@ "compliantStoragePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json')]", "compliantStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json')]", "compliantSynapsePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json')]", + "compliantSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json')]", "dataPolicyDefinitions": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/dataPolicies.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vwan-connectivity.json')]", @@ -868,6 +869,7 @@ "compliantOpenAiAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", "compliantPostgreAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Postgre', variables('deploymentSuffix')), 64)]", "compliantSqlAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-SQL', variables('deploymentSuffix')), 64)]", + "compliantSynapseAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Synaps', variables('deploymentSuffix')), 64)]", "compliantMachineLearningAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", "compliantNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", @@ -1026,6 +1028,7 @@ ], "baseId": "[concat(variables('platformResourceIds').privateDnsRgResourceId, '/providers/Microsoft.Network/privateDnsZones/')]", "privateDnsPolicyParameterMapping": { + "azureSynapsePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.sql.azuresynapse.ne')]", "azureAutomationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-automation.net')]", "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", "azureMlPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", @@ -4220,6 +4223,55 @@ // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant } } + }, + { // Creating Policy Assignment Compliant Synapse to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'Synapse')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantSynapseAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantSynapseDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantSynapsePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "synapsePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZoneId": { + "type": "string", + "defaultValue": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSynapsePrivateDnsZoneId, '')]" + }, + "synapseDefender": { + "type": "string", + "defaultValue": "[if(equals(parameters('enableAscForSynapse'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "synapseDiagnostics": { + "type": "string", + "defaultValue": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "synapseLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } }, /* The following section will optionally configure the governance for the Identity management group for the platform From c8adb3cb1bc12bb757cd66c33f6f982381f5f742 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 10:34:21 +0100 Subject: [PATCH 46/56] update assignment name --- .../Compliant-SynapsePolicyAssignment.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json index b8ec96d7..7cc23c2c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json @@ -66,19 +66,19 @@ }, "variables": { "policyDefinitions": { - "compliantSql": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Sql')]" + "compliantSynapse": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Synapse')]" }, "policyAssignmentNames": { - "sql": "Compliant-Sql", - "description": "This policy initiative is a group of policies that ensures SQL is compliant per FSI Landing Zones", - "displayName": "Enforce secure-by-default SQL for Financial Services Industry" + "synapse": "Compliant-Synapse", + "description": "This policy initiative is a group of policies that ensures Synapse is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Synapse for Financial Services Industry" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", - "name": "[variables('policyAssignmentNames').sql]", + "name": "[variables('policyAssignmentNames').synapse]", "location": "[deployment().location]", "identity": { "type": "UserAssigned", @@ -89,7 +89,7 @@ "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').compliantSql]", + "policyDefinitionId": "[variables('policyDefinitions').compliantSynapse]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "sqlServerDiagnostics": { From d3c0fcd4ef0dbd2898f125c79fd45c200e41f42b Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 10:44:30 +0100 Subject: [PATCH 47/56] param mapping --- .../Compliant-SynapsePolicyAssignment.json | 66 +++++-------------- .../industryArmV2.json | 15 ++--- 2 files changed, 23 insertions(+), 58 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json index 7cc23c2c..baae943f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json @@ -16,47 +16,23 @@ ], "defaultValue": "Default" }, - "sqlServerDiagnostics": { + "synapsePrivateDnsZone": { "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] + "defaultValue": "DeployIfNotExists" }, - "sqlServerLogAnalyticsWorkspaceId": { + "synapsePrivateDnsZoneId": { "type": "string", "defaultValue": "" }, - "sqlManagedDefender": { + "synapseDefender": { "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] + "defaultValue": "DeployIfNotExists" }, - "sqlDbServerDiagnostics": { + "synapseDiagnostics": { "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] + "defaultValue": "DeployIfNotExists" }, - "sqlDbServerLogAnalyticsWorkspaceId": { - "type": "string", - "defaultValue": "" - }, - "sqlDbAllDiagnostics": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "sqlDbAllLogAnalyticsWorkspaceId": { + "synapseLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" }, @@ -92,26 +68,20 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantSynapse]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "sqlServerDiagnostics": { - "value": "[parameters('sqlServerDiagnostics')]" - }, - "sqlServerLogAnalyticsWorkspaceId": { - "value": "[parameters('sqlServerLogAnalyticsWorkspaceId')]" - }, - "sqlManagedDefender": { - "value": "[parameters('sqlManagedDefender')]" + "synapsePrivateDnsZone": { + "value": "[parameters('synapsePrivateDnsZone')]" }, - "sqlDbServerDiagnostics": { - "value": "[parameters('sqlDbServerDiagnostics')]" + "synapsePrivateDnsZoneId": { + "value": "[parameters('synapsePrivateDnsZoneId')]" }, - "sqlDbServerLogAnalyticsWorkspaceId": { - "value": "[parameters('sqlDbServerLogAnalyticsWorkspaceId')]" + "synapseDefender": { + "value": "[parameters('synapseDefender')]" }, - "sqlDbAllDiagnostics": { - "value": "[parameters('sqlDbAllDiagnostics')]" + "synapseDiagnostics": { + "value": "[parameters('synapseDiagnostics')]" }, - "sqlDbAllLogAnalyticsWorkspaceId": { - "value": "[parameters('sqlDbAllLogAnalyticsWorkspaceId')]" + "synapseLogAnalyticsWorkspaceId": { + "value": "[parameters('synapseLogAnalyticsWorkspaceId')]" } } } diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 836f3bdb..c8058238 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -4248,24 +4248,19 @@ "value": "[parameters('industryPrefix')]" }, "synapsePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, "synapsePrivateDnsZoneId": { - "type": "string", - "defaultValue": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSynapsePrivateDnsZoneId, '')]" + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSynapsePrivateDnsZoneId, '')]" }, "synapseDefender": { - "type": "string", - "defaultValue": "[if(equals(parameters('enableAscForSynapse'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(equals(parameters('enableAscForSynapse'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, "synapseDiagnostics": { - "type": "string", - "defaultValue": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, "synapseLogAnalyticsWorkspaceId": { - "type": "string", - "defaultValue": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" From 21a673b1a050bdff0fa7aaa2253111cc602d7a08 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 17:52:13 +0100 Subject: [PATCH 48/56] compliant corp lz --- .../mgmtGroupStructure/mgmtGroups.json | 27 + .../Compliant-CorpLzPolicyAssignment.json | 464 +++++++++++ .../Compliant-OpenAiPolicyAssignment.json | 2 +- .../Compliant-CorpLzPolicySetDefinition.json | 738 ++++++++++++++++++ .../industryArmV2.json | 280 ++++++- 5 files changed, 1483 insertions(+), 28 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json index a0309be5..78d5bbb3 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json @@ -164,6 +164,33 @@ } } } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('Consistency-', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Management/managementGroups', variables('managementGroups').landingZone)]" + ], + "copy": { + "batchSize": 1, + "count": 21, + "mode": "Serial", + "name": "Consistency" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } } ], "outputs": {} diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json new file mode 100644 index 00000000..3f70ab0c --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json @@ -0,0 +1,464 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "storageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileSyncPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageFileSyncPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "appServiceAppsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "asrPrivateDnsZone-Backup": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Blob": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Queue": { + "type": "string", + "defaultValue": "" + }, + "diskPrivateDns": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "diskPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "adfPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventHubNamespacesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cognitiveServicesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusDinePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "policyDefinitions": { + "compliantCorpLz": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-Corp-Lz')]" + }, + "policyAssignmentNames": { + "corpLz": "Compliant-Corp-Lz", + "description": "This policy initiative is a group of policies that ensures Corp Connected Landing Zones are compliant per Financial Services Industry requirements", + "displayName": "Enforce secure-by-default Corp Connected Landing Zones for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').corpLz]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantCorpLz]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "storageTablePrivateDnsZone": { + "value": "[parameters('storageTablePrivateDnsZone')]" + }, + "storageTablePrivateDnsZoneId": { + "value": "[parameters('storageTablePrivateDnsZoneId')]" + }, + "storageSecondaryTablePrivateDnsZone": { + "value": "[parameters('storageSecondaryTablePrivateDnsZone')]" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "value": "[parameters('storageSecondaryTablePrivateDnsZoneId')]" + }, + "storageFileSyncPrivateDnsZone": { + "value": "[parameters('storageFileSyncPrivateDnsZone')]" + }, + "storageFileSyncPrivateDnsZoneId": { + "value": "[parameters('storageFileSyncPrivateDnsZoneId')]" + }, + "storageFileDnsZone": { + "value": "[parameters('storageFileDnsZone')]" + }, + "storageFileDnsZoneId": { + "value": "[parameters('storageFileDnsZoneId')]" + }, + "storageBlobPrivateDnsZone": { + "value": "[parameters('storageBlobPrivateDnsZone')]" + }, + "storageBlobPrivateDnsZoneId": { + "value": "[parameters('storageBlobPrivateDnsZoneId')]" + }, + "storageSecondaryBlobPrivateDnsZone": { + "value": "[parameters('storageSecondaryBlobPrivateDnsZone')]" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryBlobPrivateDnsZoneId')]" + }, + "storageDfsPrivateDnsZone": { + "value": "[parameters('storageDfsPrivateDnsZone')]" + }, + "storageDfsPrivateDnsZoneId": { + "value": "[parameters('storageDfsPrivateDnsZoneId')]" + }, + "storageSecondaryDfsPrivateDnsZone": { + "value": "[parameters('storageSecondaryDfsPrivateDnsZone')]" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryDfsPrivateDnsZoneId')]" + }, + "storageQueuePrivateDnsZone": { + "value": "[parameters('storageQueuePrivateDnsZone')]" + }, + "storageQueuePrivateDnsZoneId": { + "value": "[parameters('storageQueuePrivateDnsZoneId')]" + }, + "storageSecondaryQueuePrivateDnsZone": { + "value": "[parameters('storageSecondaryQueuePrivateDnsZone')]" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "value": "[parameters('storageSecondaryQueuePrivateDnsZoneId')]" + }, + "storageWebPrivateDnsZone": { + "value": "[parameters('storageWebPrivateDnsZone')]" + }, + "storageWebPrivateDnsZoneId": { + "value": "[parameters('storageWebPrivateDnsZoneId')]" + }, + "storageSecondaryWebPrivateDnsZone": { + "value": "[parameters('storageSecondaryWebPrivateDnsZone')]" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "value": "[parameters('storageSecondaryWebPrivateDnsZoneId')]" + }, + "aaPrivateDnsZoneId": { + "value": "[parameters('aaPrivateDnsZoneId')]" + }, + "aaPrivateDnsZone": { + "value": "[parameters('aaPrivateDnsZone')]" + }, + "appServiceAppsPrivateDnsZone": { + "value": "[parameters('appServiceAppsPrivateDnsZone')]" + }, + "appServiceAppsPrivateDnsZoneId": { + "value": "[parameters('appServiceAppsPrivateDnsZoneId')]" + }, + "asrPrivateDnsZone": { + "value": "[parameters('asrPrivateDnsZone')]" + }, + "asrPrivateDnsZone-Backup": { + "value": "[parameters('asrPrivateDnsZone-Backup')]" + }, + "asrPrivateDnsZone-Blob": { + "value": "[parameters('asrPrivateDnsZone-Blob')]" + }, + "asrPrivateDnsZone-Queue": { + "value": "[parameters('asrPrivateDnsZone-Queue')]" + }, + "diskPrivateDns": { + "value": "[parameters('diskPrivateDns')]" + }, + "diskPrivateDnsZoneId": { + "value": "[parameters('diskPrivateDnsZoneId')]" + }, + "containerRegistryPrivateDnsZone": { + "value": "[parameters('containerRegistryPrivateDnsZone')]" + }, + "containerRegistryPrivateDnsZoneId": { + "value": "[parameters('containerRegistryPrivateDnsZoneId')]" + }, + "cosmosDbPrivateDnsZone": { + "value": "[parameters('cosmosDbPrivateDnsZone')]" + }, + "cosmosDbPrivateDnsZoneId": { + "value": "[parameters('cosmosDbPrivateDnsZoneId')]" + }, + "cosmosDbPrivateEndpointGroupId": { + "value": "[parameters('cosmosDbPrivateEndpointGroupId')]" + }, + "adfPrivateDnsZone": { + "value": "[parameters('adfPrivateDnsZone')]" + }, + "adfPrivateDnsZoneId": { + "value": "[parameters('adfPrivateDnsZoneId')]" + }, + "eventGridDomainPrivateDnsZone": { + "value": "[parameters('eventGridDomainPrivateDnsZone')]" + }, + "eventGridDomainPrivateDnsZoneId": { + "value": "[parameters('eventGridDomainPrivateDnsZoneId')]" + }, + "eventGridTopicPrivateDnsZone": { + "value": "[parameters('eventGridTopicPrivateDnsZone')]" + }, + "eventGridTopicPrivateDnsZoneId": { + "value": "[parameters('eventGridTopicPrivateDnsZoneId')]" + }, + "eventHubNamespacesPrivateDnsZone": { + "value": "[parameters('eventHubNamespacesPrivateDnsZone')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[parameters('eventHubNamespacesPrivateDnsZoneId')]" + }, + "keyVaultPrivateDnsZoneId": { + "value": "[parameters('keyVaultPrivateDnsZoneId')]" + }, + "keyVaultPrivateDnsZone": { + "value": "[parameters('keyVaultPrivateDnsZone')]" + }, + "mlPrivateDnsZone": { + "value": "[parameters('mlPrivateDnsZone')]" + }, + "mlPrivateDnsZoneId": { + "value": "[parameters('mlPrivateDnsZoneId')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[parameters('mlSecondPrivateDnsZoneId')]" + }, + "cognitiveServicesPrivateDnsZone": { + "value": "[parameters('cognitiveServicesPrivateDnsZone')]" + }, + "cognitiveServicesPrivateDnsZoneId": { + "value": "[parameters('cognitiveServicesPrivateDnsZoneId')]" + }, + "serviceBusDinePrivateDnsZone": { + "value": "[parameters('serviceBusDinePrivateDnsZone')]" + }, + "serviceBusPrivateDnsZoneId": { + "value": "[parameters('serviceBusPrivateDnsZoneId')]" + }, + "synapsePrivateDnsZone": { + "value": "[parameters('synapsePrivateDnsZone')]" + }, + "synapsePrivateDnsZoneId": { + "value": "[parameters('synapsePrivateDnsZoneId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json index b81a958c..e61cab0f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json @@ -62,7 +62,7 @@ "cognitiveServicesPrivateDnsZone": { "value": "[parameters('cognitiveServicesPrivateDnsZone')]" }, - "cognitiveServicesPrivateDnsZoneI": { + "cognitiveServicesPrivateDnsZoneId": { "value": "[parameters('cognitiveServicesPrivateDnsZoneId')]" } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json new file mode 100644 index 00000000..08728bb7 --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json @@ -0,0 +1,738 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "FSIDemo" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-Corp-Lz", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Corp Connected Landing Zones" + }, + "displayName": "Enforce secure-by-default Corp Connected Landing Zones for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Corp Connected Landing Zones are compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure Storage Account is using secure encryption", + "description": "Policy to ensure Storage Account is using secure encryption" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Storage Account is not accessible over the public internet", + "description": "Policy to ensure Storage Account is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Storage Account", + "description": "Policy to ensure Storage Account is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Storage Account is logging all events to Log Analytics", + "description": "Policy to ensure Storage Account is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "storageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryTablePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileSyncPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageFileSyncPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageFileDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryDfsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryQueuePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "storageSecondaryWebPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "appServiceAppsPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "appServiceAppsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "aaPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "aaPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "DSCAndHybridWorker" + }, + "asrPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "asrPrivateDnsZone-Backup": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Blob": { + "type": "string", + "defaultValue": "" + }, + "asrPrivateDnsZone-Queue": { + "type": "string", + "defaultValue": "" + }, + "diskPrivateDns": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "diskPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cosmosDbPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cosmosDbPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "" + }, + "containerRegistryPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "containerRegistryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "adfPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "adfPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridDomainPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridDomainPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventGridTopicPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventGridTopicPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "eventHubNamespacesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "keyVaultPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "mlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "mlSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "cognitiveServicesPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "serviceBusDinePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "synapsePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "policyDefinitionReferenceId": "Dine-Synapse-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('synapsePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('synapsePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "policyDefinitionReferenceId": "DINE-Sb-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDinePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('serviceBusPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policyDefinitionReferenceId": "Dine-Cognitive-Services-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('cognitiveServicesPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policyDefinitionReferenceId": "Dine-ML-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('mlPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('mlPrivateDnsZoneId')]" + }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('mlSecondPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "policyDefinitionReferenceId": "DINE-KV-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('keyVaultPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policyDefinitionReferenceId": "Dine-EH-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventHubNamespacesPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policyDefinitionReferenceId": "Dine-EventGrid-Topic-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventGridTopicPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policyDefinitionReferenceId": "Dine-EventGrid-Domain-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('eventGridDomainPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "policyDefinitionReferenceId": "Dine-Adf-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('adfPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('adfPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policyDefinitionReferenceId": "Dine-ContainerRegistry-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('containerRegistryPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "policyDefinitionReferenceId": "Dine-CosmosDb-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbPrivateDnsZone')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('cosmosDbPrivateEndpointGroupId')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('cosmosDbPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policyDefinitionReferenceId": "Dine-Disk-Private-DNS", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('diskPrivateDns')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('diskPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "policyDefinitionReferenceId": "Dine-Asr-Private-Dns-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('asrPrivateDnsZone')]" + }, + "privateDnsZone-Backup": { + "value": "[[parameters('asrPrivateDnsZone-Backup')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('asrPrivateDnsZone-Blob')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('asrPrivateDnsZone-Queue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "policyDefinitionReferenceId": "Dine-Aa-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('aaPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('aaPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('aaPrivateEndpointGroupId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Private-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('appServiceAppsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "policyDefinitionReferenceId": "Dine-Storage-Blob-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageBlobPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageBlobPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryBlob-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryBlobPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryBlobPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "policyDefinitionReferenceId": "Dine-Storage-Dfs-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageDfsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageDfsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryDfs-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryDfsPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryDfsPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "policyDefinitionReferenceId": "Dine-Storage-Queue-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageQueuePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageQueuePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryQueue-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryQueuePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryQueuePrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "policyDefinitionReferenceId": "Dine-Storage-Web-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageWebPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageWebPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "policyDefinitionReferenceId": "Dine-Storage-SecondaryWeb-PrivateDns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageSecondaryWebPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryWebPrivateDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "policyDefinitionReferenceId": "Dine-Storage-FileGroupId-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('storageFileDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('storageFileDnsZoneId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "policyDefinitionReferenceId": "Dine-Table-Storage-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageTablePrivateDnsZone')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "policyDefinitionReferenceId": "Dine-SecondaryTable-Storage-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageSecondaryTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageSecondaryTablePrivateDnsZone')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "policyDefinitionReferenceId": "Dine-Storage-File-Sync-Private-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('storageFileSyncPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('storageFileSyncPrivateDnsZone')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index c8058238..ccdb5fd2 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -646,6 +646,8 @@ "policyIdentity": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/policyIdentity.json')]", "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, variables('azPolicyArmTemplate'))]", + "compliantCorpLzPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json')]", + "compliantCorpLzPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json')]", "compliantApiMPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-APIManagementPolicySetDefinition.json')]", "compliantApimPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-ApimPolicyAssignment.json')]", "compliantAppServicePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json')]", @@ -758,29 +760,30 @@ "customRbacDeploymentName": "[take(concat(parameters('industry'), '-RoleDefinitions', variables('deploymentSuffix')), 64)]", "allowedRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-Regions', variables('deploymentSuffix')), 64)]", "allowedRgRegionsDeploymentName": "[take(concat(parameters('industry'), '-Azure-RG-Regions', variables('deploymentSuffix')), 64)]", - "compliantApimDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Apim', variables('deploymentSuffix')), 64)]", - "compliantAppServiceDeploymentName": "[take(concat(parameters('industry'), 'Compliant-AppService', variables('deploymentSuffix')), 64)]", - "compliantAutomationDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Automation', variables('deploymentSuffix')), 64)]", - "compliantBackupDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Backup', variables('deploymentSuffix')), 64)]", - "compliantComputeDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Compute', variables('deploymentSuffix')), 64)]", - "compliantContainerAppsDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", - "compliantContainerInstanceDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", - "compliantContainerRegistryDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", - "compliantCosmosDbDeploymentName": "[take(concat(parameters('industry'), 'Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", - "compliantDataExplorerDeploymentName": "[take(concat(parameters('industry'), 'Compliant-DataExplorer', variables('deploymentSuffix')), 64)]", - "compliantDataFactoryDeploymentName": "[take(concat(parameters('industry'), 'Compliant-DataFactory', variables('deploymentSuffix')), 64)]", - "compliantEventGridDeploymentName": "[take(concat(parameters('industry'), 'Compliant-EventGrid', variables('deploymentSuffix')), 64)]", - "compliantEventHubDeploymentName": "[take(concat(parameters('industry'), 'Compliant-EventHub', variables('deploymentSuffix')), 64)]", - "compliantKeyVaultDeploymentName": "[take(concat(parameters('industry'), 'Compliant-KeyVault', variables('deploymentSuffix')), 64)]", - "compliantKubernetesDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", - "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), 'Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", - "compliantNetworkDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Network', variables('deploymentSuffix')), 64)]", - "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), 'Compliant-OpenAi', variables('deploymentSuffix')), 64)]", - "compliantPostgreDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Postgre', variables('deploymentSuffix')), 64)]", - "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), 'Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", - "compliantSqlDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Sql', variables('deploymentSuffix')), 64)]", - "compliantStorageDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Storage', variables('deploymentSuffix')), 64)]", - "compliantSynapseDeploymentName": "[take(concat(parameters('industry'), 'Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "compliantCorpLzDeploymentName": "[take(concat(parameters('industry'), '-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", + "compliantApimDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Apim', variables('deploymentSuffix')), 64)]", + "compliantAppServiceDeploymentName": "[take(concat(parameters('industry'), '-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantAutomationDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Automation', variables('deploymentSuffix')), 64)]", + "compliantBackupDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Backup', variables('deploymentSuffix')), 64)]", + "compliantComputeDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Compute', variables('deploymentSuffix')), 64)]", + "compliantContainerAppsDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", + "compliantContainerInstanceDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerInstance', variables('deploymentSuffix')), 64)]", + "compliantContainerRegistryDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ContainerRegistry', variables('deploymentSuffix')), 64)]", + "compliantCosmosDbDeploymentName": "[take(concat(parameters('industry'), '-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", + "compliantDataExplorerDeploymentName": "[take(concat(parameters('industry'), '-Compliant-DataExplorer', variables('deploymentSuffix')), 64)]", + "compliantDataFactoryDeploymentName": "[take(concat(parameters('industry'), '-Compliant-DataFactory', variables('deploymentSuffix')), 64)]", + "compliantEventGridDeploymentName": "[take(concat(parameters('industry'), '-Compliant-EventGrid', variables('deploymentSuffix')), 64)]", + "compliantEventHubDeploymentName": "[take(concat(parameters('industry'), '-Compliant-EventHub', variables('deploymentSuffix')), 64)]", + "compliantKeyVaultDeploymentName": "[take(concat(parameters('industry'), '-Compliant-KeyVault', variables('deploymentSuffix')), 64)]", + "compliantKubernetesDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Kubernetes', variables('deploymentSuffix')), 64)]", + "compliantMachineLearningDeploymentName": "[take(concat(parameters('industry'), '-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", + "compliantNetworkDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Network', variables('deploymentSuffix')), 64)]", + "compliantOpenAiDeploymentName": "[take(concat(parameters('industry'), '-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", + "compliantPostgreDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Postgre', variables('deploymentSuffix')), 64)]", + "compliantServiceBusDeploymentName": "[take(concat(parameters('industry'), '-Compliant-ServiceBus', variables('deploymentSuffix')), 64)]", + "compliantSqlDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Sql', variables('deploymentSuffix')), 64)]", + "compliantStorageDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Storage', variables('deploymentSuffix')), 64)]", + "compliantSynapseDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Synapse', variables('deploymentSuffix')), 64)]", "mgmtSubscriptionPlacement": "[take(concat(parameters('industry'), '-MgmtSub', variables('deploymentSuffix')), 64)]", "policyIdentityDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentity', variables('deploymentSuffix')), 64)]", "policyIdentityRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityRoleAssignment', variables('deploymentSuffix')), 64)]", @@ -857,6 +860,7 @@ "denyVnetPeeringDeploymentName": "[take(concat(parameters('industry'), '-VNetPeering', variables('deploymentSuffix')), 64)]", "budgetDeploymentName": "[take(concat(parameters('industry'), '-Budget', variables('deploymentSuffix')), 64)]", // Compliant Azure Service Policy Assignment deployment names + "compliantCorpLzAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CorpLz', variables('deploymentSuffix')), 64)]", "compliantAutomationAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Auto', variables('deploymentSuffix')), 64)]", "compliantBackupAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Backup', variables('deploymentSuffix')), 64)]", "compliantCosmosDbAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-CosmosDb', variables('deploymentSuffix')), 64)]", @@ -869,7 +873,7 @@ "compliantOpenAiAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-OpenAi', variables('deploymentSuffix')), 64)]", "compliantPostgreAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Postgre', variables('deploymentSuffix')), 64)]", "compliantSqlAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-SQL', variables('deploymentSuffix')), 64)]", - "compliantSynapseAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Synaps', variables('deploymentSuffix')), 64)]", + "compliantSynapseAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Synapse', variables('deploymentSuffix')), 64)]", "compliantMachineLearningAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-MachineLearning', variables('deploymentSuffix')), 64)]", "compliantNetworkAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Network', variables('deploymentSuffix')), 64)]", "compliantContainerAppsAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-ContainerApps', variables('deploymentSuffix')), 64)]", @@ -1153,7 +1157,31 @@ } } } - }, + }, + { + // Deploying Compliant Corp Lz PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantCorpLzDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCorpLzPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, { // Deploying Compliant APIM PolicySetDefinition "type": "Microsoft.Resources/deployments", @@ -3931,7 +3959,7 @@ } }, { // Creating Policy Assignment Compliant Open Ai to Landing Zone scope - "condition": "[contains(parameters('compliantAzureServices'), 'OpenAI')]", + "condition": "[contains(parameters('compliantAzureServices'), 'OpenAi')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", @@ -3956,7 +3984,7 @@ "cognitiveServicesPrivateDnsZone": { "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, - "cognitiveServicesPrivateDnsZoneI": { + "cognitiveServicesPrivateDnsZoneId": { "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" }, "userAssignedIdentityResourceId": { @@ -4224,6 +4252,204 @@ } } }, + { // Creating Policy Assignment Compliant Corp Connected to Corp Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'StorageAccount')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantCorpLzAssignmentDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantCorpLzDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantCorpLzPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "storageTablePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageTablePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageTablePrivateDnsZoneId, '')]" + }, + "storageSecondaryTablePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryTablePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageTablePrivateDnsZoneId, '')]" + }, + "storageFileSyncPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileSyncPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFileSyncPrivateDnsZoneId, '')]" + }, + "storageFileDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageFileDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFilePrivateDnsZoneId, '')]" + }, + "storageBlobPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageBlobPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageBlobPrivateDnsZoneId, '')]" + }, + "storageSecondaryBlobPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryBlobPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageBlobPrivateDnsZoneId, '')]" + }, + "storageDfsPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageDfsPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageDfsPrivateDnsZoneId, '')]" + }, + "storageSecondaryDfsPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryDfsPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageDfsPrivateDnsZoneId, '')]" + }, + "storageQueuePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageQueuePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageQueuePrivateDnsZoneId, '')]" + }, + "storageSecondaryQueuePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryQueuePrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageQueuePrivateDnsZoneId, '')]" + }, + "storageWebPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageWebPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageWebPrivateDnsZoneId, '')]" + }, + "storageSecondaryWebPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "storageSecondaryWebPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageWebPrivateDnsZoneId, '')]" + }, + "appServiceAppsPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "appServiceAppsPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAppServicesPrivateDnsZoneId, '')]" + }, + "aaPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "aaPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAutomationPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "asrPrivateDnsZone-Backup": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone-Blob": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupBlobPrivateDnsZoneId, '')]" + }, + "asrPrivateDnsZone-Queue": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupQueuePrivateDnsZoneId, '')]" + }, + "diskPrivateDns": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "diskPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureManagedDiskPrivateDnsZoneId, '')]" + }, + "containerRegistryPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "containerRegistryPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" + }, + "cosmosDbPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "cosmosDbPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCosmosSqlPrivateDnsZoneId, '')]" + }, + "cosmosDbPrivateEndpointGroupId": { + "value": "Sql" + }, + "adfPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "adfPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" + }, + "keyVaultPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "keyVaultPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" + }, + "eventGridDomainPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridDomainPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + }, + "eventGridTopicPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventGridTopicPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + }, + "eventHubNamespacesPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "eventHubNamespacesPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" + }, + "mlPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "mlPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" + }, + "mlSecondPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" + }, + "cognitiveServicesPrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "cognitiveServicesPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" + }, + "serviceBusDinePrivateDnsZone": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "serviceBusPrivateDnsZoneId": { + "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + // Add parameter to toggle DINE to 'disabled' of condition is not met so the policy does not show up as non-compliant + } + } + }, { // Creating Policy Assignment Compliant Synapse to Landing Zone scope "condition": "[contains(parameters('compliantAzureServices'), 'Synapse')]", "type": "Microsoft.Resources/deployments", From ac6c9585ae742cf5feb7add58f041c34c2f87171 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 17:53:36 +0100 Subject: [PATCH 49/56] update condition --- foundations/azure/referenceImplementations/industryArmV2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index ccdb5fd2..08e05981 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -4253,7 +4253,7 @@ } }, { // Creating Policy Assignment Compliant Corp Connected to Corp Landing Zone scope - "condition": "[contains(parameters('compliantAzureServices'), 'StorageAccount')]", + "condition": "[equals(parameters('enablePrivateDnsZones'), 'Yes')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", From 46c173755bb4cd6de53181e369bb4c70cec4c048 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 18:00:25 +0100 Subject: [PATCH 50/56] fixing url --- foundations/azure/referenceImplementations/industryArmV2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 08e05981..f0728896 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -683,7 +683,7 @@ "compliantNetworkPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-NetworkPolicySetDefinition.json')]", "compliantNetworkPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-NetworkPolicyAssignment.json')]", "compliantOpenAiPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json')]", - "compliantOpenAiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicySetAssignment.json')]", + "compliantOpenAiPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json')]", "compliantPostgrePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-PostgreSQLPolicySetDefinition.json')]", "compliantPostgrePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-PostgreSQLPolicyAssignment.json')]", "compliantServiceBusPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json')]", From a2a4464f06adc7f3895bbc72f262dd2e8a42901e Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 20:54:26 +0100 Subject: [PATCH 51/56] converge on private DNS across verticals --- .../Compliant-OpenAiPolicyAssignment.json | 9 +- ...pliant-AppServicesPolicySetDefinition.json | 23 -- ...mpliant-AutomationPolicySetDefinition.json | 30 -- .../Compliant-BackupPolicySetDefinition.json | 33 --- .../Compliant-ComputePolicySetDefinition.json | 23 -- ...-ContainerRegistryPolicySetDefinition.json | 23 -- ...Compliant-CosmosDbPolicySetDefinition.json | 30 -- ...pliant-DataFactoryPolicySetDefinition.json | 23 -- ...ompliant-EventGridPolicySetDefinition.json | 46 --- ...Compliant-EventHubPolicySetDefinition.json | 23 -- ...Compliant-KeyVaultPolicySetDefinition.json | 25 +- ...nt-MachineLearningPolicySetDefinition.json | 30 -- .../Compliant-OpenAiPolicySetDefinition.json | 23 -- ...mpliant-ServiceBusPolicySetDefinition.json | 23 -- .../Compliant-StoragePolicySetDefinition.json | 276 ----------------- .../Compliant-SynapsePolicySetDefinition.json | 23 -- .../industryArmV2.json | 278 ++++-------------- 17 files changed, 61 insertions(+), 880 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json index e61cab0f..eeb3a2b9 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json @@ -18,15 +18,16 @@ }, "cognitiveServicesPrivateDnsZone": { "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "cognitiveServicesPrivateDnsZoneId": { - "type": "string", + "defaultValue": "Disabled", "allowedValues": [ "DeployIfNotExists", "Disabled" ] }, + "cognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, "userAssignedIdentityResourceId": { "type": "string" } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json index 1b833412..198a0361 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json @@ -674,14 +674,6 @@ "type": "string", "defaultValue": "DeployIfNotExists" }, - "appServiceAppsPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "appServiceAppsPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "appServiceAppsTls": { "type": "string", "defaultValue": "DeployIfNotExists" @@ -812,21 +804,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", - "policyDefinitionReferenceId": "Dine-AppService-Apps-Private-DNS-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('appServiceAppsPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('appServiceAppsPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index 92677c5f..a7f5cb5e 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -153,18 +153,6 @@ "type": "string", "defaultValue": "Deny" }, - "aaPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "aaPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "aaPrivateEndpointGroupId": { - "type": "string", - "defaultValue": "DSCAndHybridWorker" - }, "aaPublicNetworkAccess": { "type": "string", "defaultValue": "Deny" @@ -244,24 +232,6 @@ "value": "[[parameters('aaPublicNetworkAccess')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", - "policyDefinitionReferenceId": "Dine-Aa-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('aaPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('aaPrivateDnsZoneId')]" - }, - "privateEndpointGroupId": { - "value": "[[parameters('aaPrivateEndpointGroupId')]" - } - } }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json index 3378f605..ec26653d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -255,18 +255,6 @@ "type": "string", "defaultValue": "DeployIfNotExists" }, - "asrPrivateDnsZone-Backup": { - "type": "string", - "defaultValue": "" - }, - "asrPrivateDnsZone-Blob": { - "type": "string", - "defaultValue": "" - }, - "asrPrivateDnsZone-Queue": { - "type": "string", - "defaultValue": "" - }, "asrLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" @@ -285,27 +273,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", - "policyDefinitionReferenceId": "Dine-Asr-Private-Dns-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('asrPrivateDnsZone')]" - }, - "privateDnsZone-Backup": { - "value": "[[parameters('asrPrivateDnsZone-Backup')]" - }, - "privateDnsZone-Blob": { - "value": "[[parameters('asrPrivateDnsZone-Blob')]" - }, - "privateDnsZone-Queue": { - "value": "[[parameters('asrPrivateDnsZone-Queue')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", "policyDefinitionReferenceId": "Deny-Asr-Public-Network-Access", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json index e8f5414c..5b0285ff 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json @@ -126,14 +126,6 @@ } ], "parameters": { - "diskPrivateDns": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "diskPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "diskDoubleEncryption": { "type": "string", "defaultValue": "Deny" @@ -199,21 +191,6 @@ "value": "[[parameters('diskDoubleEncryption')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", - "policyDefinitionReferenceId": "Dine-Disk-Private-DNS", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('diskPrivateDns')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('diskPrivateDnsZoneId')]" - } - } } ] } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json index d52d7158..bcdad327 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ContainerRegistryPolicySetDefinition.json @@ -122,14 +122,6 @@ "type": "string", "defaultValue": "Deny" }, - "containerRegistryPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "containerRegistryPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "containerRegistryPublicNetworkAccess": { "type": "string", "defaultValue": "Deny" @@ -194,21 +186,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", - "policyDefinitionReferenceId": "Dine-ContainerRegistry-Private-DNS-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('containerRegistryPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('containerRegistryPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json index 9387dbf7..75157525 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CosmosDbPolicySetDefinition.json @@ -252,18 +252,6 @@ "type": "string", "defaultValue": "Deny" }, - "cosmosDbPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "cosmosDbPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "cosmosDbPrivateEndpointGroupId": { - "type": "string", - "defaultValue": "" - }, "cosmosDbAtp": { "type": "string", "defaultValue": "DeployIfNotExists" @@ -337,24 +325,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", - "policyDefinitionReferenceId": "Dine-CosmosDb-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('cosmosDbPrivateDnsZone')]" - }, - "privateEndpointGroupId": { - "value": "[[parameters('cosmosDbPrivateEndpointGroupId')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('cosmosDbPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json index 1522a29d..092e9696 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-DataFactoryPolicySetDefinition.json @@ -266,14 +266,6 @@ "type": "string", "defaultValue": "Deny" }, - "adfPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "adfPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "adfManagedIdentity": { "type": "string", "defaultValue": "Deny" @@ -315,21 +307,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", - "policyDefinitionReferenceId": "Dine-Adf-Private-Dns-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('adfPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('adfPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", "policyDefinitionReferenceId": "Deny-Adf-Git", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json index b5fb004b..f0de5eb4 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventGridPolicySetDefinition.json @@ -112,22 +112,6 @@ "type": "string", "defaultValue": "Modify" }, - "eventGridDomainPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "eventGridDomainPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "eventGridTopicPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "eventGridTopicPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "eventGridDomainModifyPublicNetworkAccess": { "type": "string", "defaultValue": "Modify" @@ -252,36 +236,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", - "policyDefinitionReferenceId": "Dine-EventGrid-Topic-Private-DNS-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('eventGridTopicPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('eventGridTopicPrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", - "policyDefinitionReferenceId": "Dine-EventGrid-Domain-Private-DNS-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('eventGridDomainPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('eventGridDomainPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json index 2c8b300e..3632f24d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-EventHubPolicySetDefinition.json @@ -136,14 +136,6 @@ "type": "string", "defaultValue": "Modify" }, - "eventHubNamespacesPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "eventHubNamespacesPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "eventHubNamespacesPublicNetworkAccess": { "type": "string", "defaultValue": "Deny" @@ -217,21 +209,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", - "policyDefinitionReferenceId": "Dine-EH-Private-DNS-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('eventHubNamespacesPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('eventHubNamespacesPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", "policyDefinitionReferenceId": "Modify-EH-Local-Auth", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json index bbdd0383..4b51cb18 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-KeyVaultPolicySetDefinition.json @@ -111,14 +111,6 @@ "type": "string", "defaultValue": "" }, - "keyVaultPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "keyVaultPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "keyVaultCertificatesPeriod": { "type": "string", "defaultValue": "Deny" @@ -490,22 +482,7 @@ "value": "[[parameters('keyVaultHmsPurgeProtection')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", - "policyDefinitionReferenceId": "DINE-KV-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('keyVaultPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('keyVaultPrivateDnsZoneId')]" - } - } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951af2fa-529b-416e-ab6e-066fd85ac459", "policyDefinitionReferenceId": "DINE-KV-Logs", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json index 1ff691b8..4e8e8ba2 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-MachineLearningPolicySetDefinition.json @@ -135,18 +135,6 @@ "type": "string", "defaultValue": "Deny" }, - "mlPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "mlPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "mlSecondPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "mlModifyLocalAuth": { "type": "string", "defaultValue": "Modify" @@ -255,24 +243,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", - "policyDefinitionReferenceId": "Dine-ML-Private-DNS-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('mlPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('mlPrivateDnsZoneId')]" - }, - "secondPrivateDnsZoneId": { - "value": "[[parameters('mlSecondPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json index 502ca972..84bd90b3 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-OpenAiPolicySetDefinition.json @@ -210,14 +210,6 @@ "type": "string", "defaultValue": "Deny" }, - "cognitiveServicesPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "cognitiveServicesPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "cognitiveServicesManagedIdentity": { "type": "string", "defaultValue": "Deny" @@ -268,21 +260,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", - "policyDefinitionReferenceId": "Dine-Cognitive-Services-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('cognitiveServicesPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('cognitiveServicesPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json index 723975de..5cea59a6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ServiceBusPolicySetDefinition.json @@ -140,14 +140,6 @@ "type": "string", "defaultValue": "Deny" }, - "serviceBusPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "serviceBusDinePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "serviceBusDenyCmk": { "type": "string", "defaultValue": "Deny" @@ -212,21 +204,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", - "policyDefinitionReferenceId": "DINE-Sb-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('serviceBusDinePrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('serviceBusPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", "policyDefinitionReferenceId": "Deny-Sb-Encryption", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json index e6bc0495..33f42bbc 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json @@ -120,34 +120,10 @@ } ], "parameters": { - "storageTablePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageTablePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageSecondaryTablePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryTablePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "storageKeysExipiration": { "type": "string", "defaultValue": "Deny" }, - "storageFileSyncPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageFileSyncPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "modifyStorageFileSyncPublicEndpoint": { "type": "string", "defaultValue": "Modify" @@ -212,82 +188,10 @@ "type": "string", "defaultValue": "" }, - "storageFileDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageFileDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "storageAccountsCmk": { "type": "string", "defaultValue": "Deny" }, - "storageBlobPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageBlobPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageSecondaryBlobPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageSecondaryBlobPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageDfsPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageDfsPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryDfsPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageSecondaryDfsPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageQueuePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageQueuePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryQueuePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageSecondaryQueuePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageWebPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageWebPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryWebPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "storageSecondaryWebPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "storageQueueDiagnostics": { "type": "string", "defaultValue": "DeployIfNotExists" @@ -515,126 +419,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", - "policyDefinitionReferenceId": "Dine-Storage-Blob-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageBlobPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageBlobPrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", - "policyDefinitionReferenceId": "Dine-Storage-SecondaryBlob-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageSecondaryBlobPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageSecondaryBlobPrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", - "policyDefinitionReferenceId": "Dine-Storage-Dfs-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageDfsPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageDfsPrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", - "policyDefinitionReferenceId": "Dine-Storage-SecondaryDfs-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageSecondaryDfsPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageSecondaryDfsPrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", - "policyDefinitionReferenceId": "Dine-Storage-Queue-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageQueuePrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageQueuePrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", - "policyDefinitionReferenceId": "Dine-Storage-SecondaryQueue-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageSecondaryQueuePrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageSecondaryQueuePrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", - "policyDefinitionReferenceId": "Dine-Storage-Web-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageWebPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageWebPrivateDnsZoneId')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", - "policyDefinitionReferenceId": "Dine-Storage-SecondaryWeb-PrivateDns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageSecondaryWebPrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageSecondaryWebPrivateDnsZoneId')]" - } - } - }, { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', 'Deny-Storage-Cmk')]", "policyDefinitionReferenceId": "Deny-Storage-Cmk", @@ -647,21 +431,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", - "policyDefinitionReferenceId": "Dine-Storage-FileGroupId-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('storageFileDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('storageFileDnsZoneId')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef", "policyDefinitionReferenceId": "Dine-Storage-Accounts-Diagnostics", @@ -827,36 +596,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", - "policyDefinitionReferenceId": "Dine-Table-Storage-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('storageTablePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('storageTablePrivateDnsZone')]" - } - } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", - "policyDefinitionReferenceId": "Dine-SecondaryTable-Storage-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('storageSecondaryTablePrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('storageSecondaryTablePrivateDnsZone')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", @@ -868,21 +607,6 @@ "value": "[[parameters('storageKeysExipiration')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", - "policyDefinitionReferenceId": "Dine-Storage-File-Sync-Private-Dns", - "groupNames": [ - "Network" - ], - "parameters": { - "privateDnsZoneId": { - "value": "[[parameters('storageFileSyncPrivateDnsZoneId')]" - }, - "effect": { - "value": "[[parameters('storageFileSyncPrivateDnsZone')]" - } - } } ] } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json index b9189dfe..617d02c6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json @@ -124,14 +124,6 @@ } ], "parameters": { - "synapsePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "synapsePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "synapseLocalAuth": { "type": "string", "defaultValue": "Deny" @@ -359,21 +351,6 @@ "value": "[[parameters('synapseLocalAuth')]" } } - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", - "policyDefinitionReferenceId": "Dine-Synapse-Private-Dns-Zone", - "groupNames": [ - "Network" - ], - "parameters": { - "effect": { - "value": "[[parameters('synapsePrivateDnsZone')]" - }, - "privateDnsZoneId": { - "value": "[[parameters('synapsePrivateDnsZoneId')]" - } - } } ] } diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index f0728896..5e21b8e1 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -3257,12 +3257,6 @@ }, "functionLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" - }, - "appServiceAppsPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "appServiceAppsPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAppServicesPrivateDnsZoneId, '')]" }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" @@ -3294,12 +3288,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "aaPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "aaPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAutomationPrivateDnsZoneId, '')]" - }, "aaDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3336,18 +3324,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "asrPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "asrPrivateDnsZone-Backup": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupPrivateDnsZoneId, '')]" - }, - "asrPrivateDnsZone-Blob": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupBlobPrivateDnsZoneId, '')]" - }, - "asrPrivateDnsZone-Queue": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupQueuePrivateDnsZoneId, '')]" - }, "asrLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, @@ -3381,12 +3357,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "diskPrivateDns": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "diskPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureManagedDiskPrivateDnsZoneId, '')]" - }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" } @@ -3477,12 +3447,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "containerRegistryPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "containerRegistryPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" - }, "containerRegistryDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3519,15 +3483,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "cosmosDbPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "cosmosDbPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCosmosSqlPrivateDnsZoneId, '')]" - }, - "cosmosDbPrivateEndpointGroupId": { - "value": "Sql" - }, "cosmosDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3600,12 +3555,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "adfPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "adfPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" - }, "adfDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3642,12 +3591,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "keyVaultPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "keyVaultPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" - }, "keyVaultDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3690,18 +3633,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "eventGridDomainPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "eventGridDomainPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" - }, - "eventGridTopicPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "eventGridTopicPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" - }, "eventGridPartnerDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3750,12 +3681,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "eventHubNamespacesPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "eventHubNamespacesPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" - }, "eventHubDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -3840,15 +3765,6 @@ "mlLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, - "mlPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "mlPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" - }, - "mlSecondPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" - }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" } @@ -3981,12 +3897,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "cognitiveServicesPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "cognitiveServicesPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" - }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" } @@ -4052,12 +3962,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "serviceBusDinePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "serviceBusPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" - }, "ServiceBusLogAnalyticsEffect": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -4143,24 +4047,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "storageTablePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageTablePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageTablePrivateDnsZoneId, '')]" - }, - "storageSecondaryTablePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageSecondaryTablePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageTablePrivateDnsZoneId, '')]" - }, - "storageFileSyncPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageFileSyncPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFileSyncPrivateDnsZoneId, '')]" - }, "storageFileSyncDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -4179,60 +4065,6 @@ "storageAccountsLogAnalyticsWorkspaceId": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" }, - "storageFileDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageFileDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFilePrivateDnsZoneId, '')]" - }, - "storageBlobPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageBlobPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageBlobPrivateDnsZoneId, '')]" - }, - "storageSecondaryBlobPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageSecondaryBlobPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageBlobPrivateDnsZoneId, '')]" - }, - "storageDfsPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageDfsPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageDfsPrivateDnsZoneId, '')]" - }, - "storageSecondaryDfsPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageSecondaryDfsPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageDfsPrivateDnsZoneId, '')]" - }, - "storageQueuePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageQueuePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageQueuePrivateDnsZoneId, '')]" - }, - "storageSecondaryQueuePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageSecondaryQueuePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageQueuePrivateDnsZoneId, '')]" - }, - "storageWebPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageWebPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageWebPrivateDnsZoneId, '')]" - }, - "storageSecondaryWebPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "storageSecondaryWebPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageWebPrivateDnsZoneId, '')]" - }, "storageQueueDiagnostics": { "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, @@ -4276,172 +4108,172 @@ "value": "[parameters('industryPrefix')]" }, "storageTablePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageTablePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageTablePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageTablePrivateDnsZoneId, '')]" }, "storageSecondaryTablePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageSecondaryTablePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageTablePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageTablePrivateDnsZoneId, '')]" }, "storageFileSyncPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageFileSyncPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFileSyncPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageFileSyncPrivateDnsZoneId, '')]" }, "storageFileDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageFileDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageFilePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageFilePrivateDnsZoneId, '')]" }, "storageBlobPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageBlobPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageBlobPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageBlobPrivateDnsZoneId, '')]" }, "storageSecondaryBlobPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageSecondaryBlobPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageBlobPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageBlobPrivateDnsZoneId, '')]" }, "storageDfsPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageDfsPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageDfsPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageDfsPrivateDnsZoneId, '')]" }, "storageSecondaryDfsPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageSecondaryDfsPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageDfsPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageDfsPrivateDnsZoneId, '')]" }, "storageQueuePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageQueuePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageQueuePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageQueuePrivateDnsZoneId, '')]" }, "storageSecondaryQueuePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageSecondaryQueuePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageQueuePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageQueuePrivateDnsZoneId, '')]" }, "storageWebPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageWebPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureStorageWebPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureStorageWebPrivateDnsZoneId, '')]" }, "storageSecondaryWebPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, "storageSecondaryWebPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageWebPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), variables('privateDnsPolicyParameterMapping').azureSecondaryStorageWebPrivateDnsZoneId, '')]" }, "appServiceAppsPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'AppService'), 'DeployIfNotExists', 'Disabled')]" }, "appServiceAppsPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAppServicesPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'AppService'), variables('privateDnsPolicyParameterMapping').azureAppServicesPrivateDnsZoneId, '')]" }, "aaPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Automation'), 'DeployIfNotExists', 'Disabled')]" }, "aaPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureAutomationPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Automation'), variables('privateDnsPolicyParameterMapping').azureAutomationPrivateDnsZoneId, '')]" }, "asrPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), 'DeployIfNotExists', 'Disabled')]" }, "asrPrivateDnsZone-Backup": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), variables('privateDnsPolicyParameterMapping').azureBackupPrivateDnsZoneId, '')]" }, "asrPrivateDnsZone-Blob": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupBlobPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), variables('privateDnsPolicyParameterMapping').azureBackupBlobPrivateDnsZoneId, '')]" }, "asrPrivateDnsZone-Queue": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureBackupQueuePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Backup'), variables('privateDnsPolicyParameterMapping').azureBackupQueuePrivateDnsZoneId, '')]" }, "diskPrivateDns": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Compute'), 'DeployIfNotExists', 'Disabled')]" }, "diskPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureManagedDiskPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'Compute'), variables('privateDnsPolicyParameterMapping').azureManagedDiskPrivateDnsZoneId, '')]" }, "containerRegistryPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'ContainerRegistry'), 'DeployIfNotExists', 'Disabled')]" }, "containerRegistryPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'ContainerRegistry'), variables('privateDnsPolicyParameterMapping').azureContainerRegistryPrivateDnsZoneId, '')]" }, "cosmosDbPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'CosmosDb'), 'DeployIfNotExists', 'Disabled')]" }, "cosmosDbPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCosmosSqlPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'CosmosDb'), variables('privateDnsPolicyParameterMapping').azureCosmosSqlPrivateDnsZoneId, '')]" }, "cosmosDbPrivateEndpointGroupId": { "value": "Sql" }, "adfPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'DataFactory'), 'DeployIfNotExists', 'Disabled')]" }, "adfPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'DataFactory'), variables('privateDnsPolicyParameterMapping').azureDataFactoryPrivateDnsZoneId, '')]" }, "keyVaultPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'KeyVault'), 'DeployIfNotExists', 'Disabled')]" }, "keyVaultPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'KeyVault'), variables('privateDnsPolicyParameterMapping').azureKeyVaultPrivateDnsZoneId, '')]" }, "eventGridDomainPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), 'DeployIfNotExists', 'Disabled')]" }, "eventGridDomainPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" }, "eventGridTopicPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), 'DeployIfNotExists', 'Disabled')]" }, "eventGridTopicPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'EventGrid'), variables('privateDnsPolicyParameterMapping').azureEventGridPrivateDnsZoneId, '')]" }, "eventHubNamespacesPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'EventHub'), 'DeployIfNotExists', 'Disabled')]" }, "eventHubNamespacesPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'EventHub'), variables('privateDnsPolicyParameterMapping').azureEventHubNamespacePrivateDnsZoneId, '')]" }, "mlPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'MachineLearning'), 'DeployIfNotExists', 'Disabled')]" }, "mlPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'MachineLearning'), variables('privateDnsPolicyParameterMapping').azureMlPrivateDnsZoneId, '')]" }, "mlSecondPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'MachineLearning'), variables('privateDnsPolicyParameterMapping').azureMlSecondaryPrivateDnsZoneId, '')]" }, "cognitiveServicesPrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'OpenAi'), 'DeployIfNotExists', 'Disabled')]" }, "cognitiveServicesPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'OpenAi'), variables('privateDnsPolicyParameterMapping').azureCognitiveServicesPrivateDnsZoneId, '')]" }, "serviceBusDinePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'ServiceBus'), 'DeployIfNotExists', 'Disabled')]" }, "serviceBusPrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" + "value": "[if(contains(parameters('compliantAzureServices'), 'ServiceBus'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" From 653f265198057ccca3dfafb9e545304f43df88d9 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Wed, 1 Mar 2023 22:20:21 +0100 Subject: [PATCH 52/56] compliant corp lz and modification to each vertical --- .../Compliant-AppServicePolicyAssignment.json | 18 -- .../Compliant-AutomationPolicyAssignment.json | 20 -- .../Compliant-BackupPolicyAssignment.json | 28 --- .../Compliant-ComputePolicyAssignment.json | 21 +- ...ant-ContainerRegistryPolicyAssignment.json | 18 -- .../Compliant-CosmosDbPolicyAssignment.json | 25 -- ...Compliant-DataFactoryPolicyAssignment.json | 22 -- .../Compliant-EventGridPolicyAssignment.json | 36 --- .../Compliant-EventHubPolicyAssignment.json | 18 -- .../Compliant-KeyVaultPolicyAssignment.json | 20 -- ...liant-MachineLearningPolicyAssignment.json | 24 -- .../Compliant-OpenAiPolicyAssignment.json | 21 +- .../Compliant-ServiceBusPolicyAssignment.json | 18 -- .../Compliant-StoragePolicyAssignment.json | 216 ------------------ .../Compliant-SynapsePolicyAssignment.json | 14 -- ...mpliant-AutomationPolicySetDefinition.json | 81 ++++--- .../Compliant-BackupPolicySetDefinition.json | 4 - .../industryArmV2.json | 12 +- 18 files changed, 48 insertions(+), 568 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json index 2eae91e3..2a471dc4 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AppServicePolicyAssignment.json @@ -16,18 +16,6 @@ ], "defaultValue": "Default" }, - "appServiceAppsPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "appServiceAppsPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "functionDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -84,12 +72,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantAppService]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "appServiceAppsPrivateDnsZone": { - "value": "[parameters('appServiceAppsPrivateDnsZone')]" - }, - "appServiceAppsPrivateDnsZoneId": { - "value": "[parameters('appServiceAppsPrivateDnsZoneId')]" - }, "functionDiagnostics": { "value": "[parameters('functionDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json index a6a89189..9abdecb6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-AutomationPolicyAssignment.json @@ -22,12 +22,6 @@ "description": "Provide the Log Analytics Workspace ID for Key Vault" } }, - "aaPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Provide the Private DNS Zone ID for Key Vault" - } - }, "aaDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -36,14 +30,6 @@ "Disabled" ] }, - "aaPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, "userAssignedIdentityResourceId": { "type": "string" } @@ -79,12 +65,6 @@ "aaLogAnalyticsWorkspaceId": { "value": "[parameters('aaLogAnalyticsWorkspaceId')]" }, - "aaPrivateDnsZoneId": { - "value": "[parameters('aaPrivateDnsZoneId')]" - }, - "aaPrivateDnsZone": { - "value": "[parameters('aaPrivateDnsZone')]" - }, "aaDiagnostics": { "value": "[parameters('aaDiagnostics')]" } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json index 5b69178c..4f3daa13 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-BackupPolicyAssignment.json @@ -16,22 +16,6 @@ ], "defaultValue": "Default" }, - "asrPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "asrPrivateDnsZone-Backup": { - "type": "string", - "defaultValue": "" - }, - "asrPrivateDnsZone-Blob": { - "type": "string", - "defaultValue": "" - }, - "asrPrivateDnsZone-Queue": { - "type": "string", - "defaultValue": "" - }, "asrLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" @@ -70,18 +54,6 @@ "parameters": { "asrLogAnalyticsWorkspaceId": { "value": "[parameters('asrLogAnalyticsWorkspaceId')]" - }, - "asrPrivateDnsZone": { - "value": "[parameters('asrPrivateDnsZone')]" - }, - "asrPrivateDnsZone-Backup": { - "value": "[parameters('asrPrivateDnsZone-Backup')]" - }, - "asrPrivateDnsZone-Blob": { - "value": "[parameters('asrPrivateDnsZone-Blob')]" - }, - "asrPrivateDnsZone-Queue": { - "value": "[parameters('asrPrivateDnsZone-Queue')]" } } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json index a2af4a06..0c7c897f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ComputePolicyAssignment.json @@ -16,18 +16,6 @@ ], "defaultValue": "Default" }, - "diskPrivateDns": { - "type": "string", - "metadata": { - "description": "Select if policy should be enforced or not" - } - }, - "diskPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Provide the Private DNS Zone ID for disk" - } - }, "userAssignedIdentityResourceId": { "type": "string" } @@ -59,14 +47,7 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').compute]", "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "diskPrivateDns": { - "value": "[parameters('diskPrivateDns')]" - }, - "diskPrivateDnsZoneId": { - "value": "[parameters('diskPrivateDnsZoneId')]" - } - } + "parameters": {} } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json index 2d0cc8d9..370053c9 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ContainerRegistryPolicyAssignment.json @@ -16,18 +16,6 @@ ], "defaultValue": "Default" }, - "containerRegistryPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "containerRegistryPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "containerRegistryDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -72,12 +60,6 @@ "policyDefinitionId": "[variables('policyDefinitions').conRegistry]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "containerRegistryPrivateDnsZone": { - "value": "[parameters('containerRegistryPrivateDnsZone')]" - }, - "containerRegistryPrivateDnsZoneId": { - "value": "[parameters('containerRegistryPrivateDnsZoneId')]" - }, "containerRegistryDiagnostics": { "value": "[parameters('containerRegistryDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json index f7b876b9..7dabafb0 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CosmosDbPolicyAssignment.json @@ -16,22 +16,6 @@ ], "defaultValue": "Default" }, - "cosmosDbPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "cosmosDbPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "cosmosDbPrivateEndpointGroupId": { - "type": "string", - "defaultValue": "" - }, "cosmosDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -76,15 +60,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantCosmos]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "cosmosDbPrivateDnsZone": { - "value": "[parameters('cosmosDbPrivateDnsZone')]" - }, - "cosmosDbPrivateDnsZoneId": { - "value": "[parameters('cosmosDbPrivateDnsZoneId')]" - }, - "cosmosDbPrivateEndpointGroupId": { - "value": "[parameters('cosmosDbPrivateEndpointGroupId')]" - }, "cosmosDiagnostics": { "value": "[parameters('cosmosDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json index 24480261..6dd90947 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-DataFactoryPolicyAssignment.json @@ -16,22 +16,6 @@ ], "defaultValue": "Default" }, - "adfPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "adfPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "adfManagedIdentity": { - "type": "string", - "defaultValue": "Deny" - }, "adfDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -76,12 +60,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantAdf]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "adfPrivateDnsZone": { - "value": "[parameters('adfPrivateDnsZone')]" - }, - "adfPrivateDnsZoneId": { - "value": "[parameters('adfPrivateDnsZoneId')]" - }, "adfDiagnostics": { "value": "[parameters('adfDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json index ef564bfe..12581e69 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventGridPolicyAssignment.json @@ -16,30 +16,6 @@ ], "defaultValue": "Default" }, - "eventGridDomainPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "eventGridDomainPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "eventGridTopicPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "eventGridTopicPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "eventGridPartnerDiagnostics": { "type": "string", "allowedValues": [ @@ -105,18 +81,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantEg]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "eventGridDomainPrivateDnsZone": { - "value": "[parameters('eventGridDomainPrivateDnsZone')]" - }, - "eventGridDomainPrivateDnsZoneId": { - "value": "[parameters('eventGridDomainPrivateDnsZoneId')]" - }, - "eventGridTopicPrivateDnsZone": { - "value": "[parameters('eventGridTopicPrivateDnsZone')]" - }, - "eventGridTopicPrivateDnsZoneId": { - "value": "[parameters('eventGridTopicPrivateDnsZoneId')]" - }, "eventGridPartnerDiagnostics": { "value": "[parameters('eventGridPartnerDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json index 539e74ff..13cbd8d4 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-EventHubPolicyAssignment.json @@ -16,18 +16,6 @@ ], "defaultValue": "Default" }, - "eventHubNamespacesPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "eventHubNamespacesPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "eventHubDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -72,12 +60,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantEh]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "eventHubNamespacesPrivateDnsZone": { - "value": "[parameters('eventHubNamespacesPrivateDnsZone')]" - }, - "eventHubNamespacesPrivateDnsZoneId": { - "value": "[parameters('eventHubNamespacesPrivateDnsZoneId')]" - }, "eventHubDiagnostics": { "value": "[parameters('eventHubDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json index da76fecf..edd6fe08 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-KeyVaultPolicyAssignment.json @@ -22,12 +22,6 @@ "description": "Provide the Log Analytics Workspace ID for Key Vault" } }, - "keyVaultPrivateDnsZoneId": { - "type": "string", - "metadata": { - "description": "Provide the Private DNS Zone ID for Key Vault" - } - }, "keyVaultDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -36,14 +30,6 @@ "Disabled" ] }, - "keyVaultPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, "hsmDiagnostics": { "type": "string", "allowedValues": [ @@ -90,12 +76,6 @@ "keyVaultLogAnalyticsWorkspaceId": { "value": "[parameters('keyVaultLogAnalyticsWorkspaceId')]" }, - "keyVaultPrivateDnsZoneId": { - "value": "[parameters('keyVaultPrivateDnsZoneId')]" - }, - "keyVaultPrivateDnsZone": { - "value": "[parameters('keyVaultPrivateDnsZone')]" - }, "keyVaultDiagnostics": { "value": "[parameters('keyVaultDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json index 4140a758..ed3e0c31 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-MachineLearningPolicyAssignment.json @@ -27,21 +27,6 @@ "type": "string", "defaultValue": "" }, - "mlPrivateDnsZone": { - "type": "string", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "mlPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "mlSecondPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "userAssignedIdentityResourceId": { "type": "string" } @@ -79,15 +64,6 @@ }, "mlLogAnalyticsWorkspaceId": { "value": "[parameters('mlLogAnalyticsWorkspaceId')]" - }, - "mlPrivateDnsZone": { - "value": "[parameters('mlPrivateDnsZone')]" - }, - "mlPrivateDnsZoneId": { - "value": "[parameters('mlPrivateDnsZoneId')]" - }, - "mlSecondPrivateDnsZoneId": { - "value": "[parameters('mlSecondPrivateDnsZoneId')]" } } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json index eeb3a2b9..bf3b460c 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-OpenAiPolicyAssignment.json @@ -16,18 +16,6 @@ ], "defaultValue": "Default" }, - "cognitiveServicesPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "cognitiveServicesPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "userAssignedIdentityResourceId": { "type": "string" } @@ -59,14 +47,7 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').compliantOpenAi]", "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "cognitiveServicesPrivateDnsZone": { - "value": "[parameters('cognitiveServicesPrivateDnsZone')]" - }, - "cognitiveServicesPrivateDnsZoneId": { - "value": "[parameters('cognitiveServicesPrivateDnsZoneId')]" - } - } + "parameters": {} } } ], diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json index 644d15ad..b2610d00 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-ServiceBusPolicyAssignment.json @@ -28,18 +28,6 @@ "type": "String", "defaultValue": "" }, - "serviceBusDinePrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "serviceBusPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "userAssignedIdentityResourceId": { "type": "string" } @@ -72,12 +60,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantSb]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "serviceBusDinePrivateDnsZone": { - "value": "[parameters('serviceBusDinePrivateDnsZone')]" - }, - "serviceBusPrivateDnsZoneId": { - "value": "[parameters('serviceBusPrivateDnsZoneId')]" - }, "ServiceBusLogAnalyticsEffect": { "value": "[parameters('ServiceBusLogAnalyticsEffect')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json index 4fcbcd15..9588dca3 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json @@ -16,42 +16,6 @@ ], "defaultValue": "Default" }, - "storageTablePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageTablePrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageSecondaryTablePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryTablePrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageFileSyncPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageFileSyncPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, "storageFileSyncDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -84,114 +48,6 @@ "type": "string", "defaultValue": "" }, - "storageFileDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageFileDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageBlobPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageBlobPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageSecondaryBlobPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageSecondaryBlobPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageDfsPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageDfsPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryDfsPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageSecondaryDfsPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageQueuePrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageQueuePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryQueuePrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageSecondaryQueuePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageWebPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageWebPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, - "storageSecondaryWebPrivateDnsZone": { - "type": "string", - "defaultValue": "Disabled", - "allowedValues": [ - "Disabled", - "DeployIfNotExists" - ] - }, - "storageSecondaryWebPrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "storageQueueDiagnostics": { "type": "string", "defaultValue": "Disabled", @@ -244,24 +100,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantStorage]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "storageTablePrivateDnsZone": { - "value": "[parameters('storageTablePrivateDnsZone')]" - }, - "storageTablePrivateDnsZoneId": { - "value": "[parameters('storageTablePrivateDnsZoneId')]" - }, - "storageSecondaryTablePrivateDnsZone": { - "value": "[parameters('storageSecondaryTablePrivateDnsZone')]" - }, - "storageSecondaryTablePrivateDnsZoneId": { - "value": "[parameters('storageSecondaryTablePrivateDnsZoneId')]" - }, - "storageFileSyncPrivateDnsZone": { - "value": "[parameters('storageFileSyncPrivateDnsZone')]" - }, - "storageFileSyncPrivateDnsZoneId": { - "value": "[parameters('storageFileSyncPrivateDnsZoneId')]" - }, "storageFileSyncDiagnostics": { "value": "[parameters('storageFileSyncDiagnostics')]" }, @@ -280,60 +118,6 @@ "storageAccountsLogAnalyticsWorkspaceId": { "value": "[parameters('storageAccountsLogAnalyticsWorkspaceId')]" }, - "storageFileDnsZone": { - "value": "[parameters('storageFileDnsZone')]" - }, - "storageFileDnsZoneId": { - "value": "[parameters('storageFileDnsZoneId')]" - }, - "storageBlobPrivateDnsZone": { - "value": "[parameters('storageBlobPrivateDnsZone')]" - }, - "storageBlobPrivateDnsZoneId": { - "value": "[parameters('storageBlobPrivateDnsZoneId')]" - }, - "storageSecondaryBlobPrivateDnsZone": { - "value": "[parameters('storageSecondaryBlobPrivateDnsZone')]" - }, - "storageSecondaryBlobPrivateDnsZoneId": { - "value": "[parameters('storageSecondaryBlobPrivateDnsZoneId')]" - }, - "storageDfsPrivateDnsZone": { - "value": "[parameters('storageDfsPrivateDnsZone')]" - }, - "storageDfsPrivateDnsZoneId": { - "value": "[parameters('storageDfsPrivateDnsZoneId')]" - }, - "storageSecondaryDfsPrivateDnsZone": { - "value": "[parameters('storageSecondaryDfsPrivateDnsZone')]" - }, - "storageSecondaryDfsPrivateDnsZoneId": { - "value": "[parameters('storageSecondaryDfsPrivateDnsZoneId')]" - }, - "storageQueuePrivateDnsZone": { - "value": "[parameters('storageQueuePrivateDnsZone')]" - }, - "storageQueuePrivateDnsZoneId": { - "value": "[parameters('storageQueuePrivateDnsZoneId')]" - }, - "storageSecondaryQueuePrivateDnsZone": { - "value": "[parameters('storageSecondaryQueuePrivateDnsZone')]" - }, - "storageSecondaryQueuePrivateDnsZoneId": { - "value": "[parameters('storageSecondaryQueuePrivateDnsZoneId')]" - }, - "storageWebPrivateDnsZone": { - "value": "[parameters('storageWebPrivateDnsZone')]" - }, - "storageWebPrivateDnsZoneId": { - "value": "[parameters('storageWebPrivateDnsZoneId')]" - }, - "storageSecondaryWebPrivateDnsZone": { - "value": "[parameters('storageSecondaryWebPrivateDnsZone')]" - }, - "storageSecondaryWebPrivateDnsZoneId": { - "value": "[parameters('storageSecondaryWebPrivateDnsZoneId')]" - }, "storageQueueDiagnostics": { "value": "[parameters('storageQueueDiagnostics')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json index baae943f..0bcbfb6f 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json @@ -16,14 +16,6 @@ ], "defaultValue": "Default" }, - "synapsePrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, - "synapsePrivateDnsZoneId": { - "type": "string", - "defaultValue": "" - }, "synapseDefender": { "type": "string", "defaultValue": "DeployIfNotExists" @@ -68,12 +60,6 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantSynapse]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { - "synapsePrivateDnsZone": { - "value": "[parameters('synapsePrivateDnsZone')]" - }, - "synapsePrivateDnsZoneId": { - "value": "[parameters('synapsePrivateDnsZoneId')]" - }, "synapseDefender": { "value": "[parameters('synapseDefender')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json index a7f5cb5e..cab1f26a 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AutomationPolicySetDefinition.json @@ -9,57 +9,56 @@ }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { - "properties": { + "properties": { "displayName": "Automation Account should have Managed Identity", "mode": "Indexed", "description": "Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code .", "metadata": { - "version": "1.0.0", - "category": "Automation" + "version": "1.0.0", + "category": "Automation" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Automation/automationAccounts" - }, - { - "anyOf": [ - { - "field": "identity.type", - "exists": "false" - }, - { - "field": "identity.type", - "contains": "None" - } + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + { + "anyOf": [ + { + "field": "identity.type", + "exists": "false" + }, + { + "field": "identity.type", + "contains": "None" + } + ] + } ] + }, + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-AA-Managed-Identity" @@ -208,8 +207,8 @@ "value": "[[parameters('autoHotPatch')]" } } - }, - { + }, + { "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", "groupNames": [ @@ -220,7 +219,7 @@ "value": "[[parameters('aaManagedIdentity')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", "policyDefinitionReferenceId": "Deny-Aa-Public-Network-Access", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json index ec26653d..755717a6 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-BackupPolicySetDefinition.json @@ -251,10 +251,6 @@ "type": "string", "defaultValue": "Deny" }, - "asrPrivateDnsZone": { - "type": "string", - "defaultValue": "DeployIfNotExists" - }, "asrLogAnalyticsWorkspaceId": { "type": "string", "defaultValue": "" diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 5e21b8e1..538d3ecd 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -4275,6 +4275,12 @@ "serviceBusPrivateDnsZoneId": { "value": "[if(contains(parameters('compliantAzureServices'), 'ServiceBus'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" }, + "synapsePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Synapse'), 'DeployIfNotExists', 'Disabled')]" + }, + "synapsePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'Synapse'), variables('privateDnsPolicyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId, '')]" + }, "userAssignedIdentityResourceId": { "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" } @@ -4305,12 +4311,6 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, - "synapsePrivateDnsZone": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" - }, - "synapsePrivateDnsZoneId": { - "value": "[if(equals(parameters('enablePrivateDnsZones'), 'Yes'), variables('privateDnsPolicyParameterMapping').azureSynapsePrivateDnsZoneId, '')]" - }, "synapseDefender": { "value": "[if(equals(parameters('enableAscForSynapse'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" }, From 5d1024c280ccfad91d2e26c59812096d46603575 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Thu, 2 Mar 2023 09:42:33 +0100 Subject: [PATCH 53/56] Add SQL Dine DNS Policy --- .../Compliant-CorpLzPolicyAssignment.json | 14 ++ .../Compliant-CorpLzPolicySetDefinition.json | 151 +++++++++++++++++- 2 files changed, 164 insertions(+), 1 deletion(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json index 3f70ab0c..005488aa 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json @@ -249,6 +249,14 @@ "type": "string", "defaultValue": "" }, + "sqlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, "userAssignedIdentityResourceId": { "type": "string", "defaultValue": "" @@ -455,6 +463,12 @@ }, "synapsePrivateDnsZoneId": { "value": "[parameters('synapsePrivateDnsZoneId')]" + }, + "sqlPrivateDnsZone": { + "value": "[parameters('sqlPrivateDnsZone')]" + }, + "sqlPrivateDnsZoneId": { + "value": "[parameters('sqlPrivateDnsZoneId')]" } } } diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json index 08728bb7..bd7b0ad1 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json @@ -10,7 +10,133 @@ "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", "policies": { - "policyDefinitions": [] + "policyDefinitions": [ + { + "properties": { + "displayName": "Configure a private DNS Zone ID for sqlServer groupID", + "mode": "Indexed", + "description": "Configure private DNS zone group to override the DNS resolution for a sqlServer groupID private endpoint.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Configure a private DNS Zone ID for sqlServer groupID", + "description": "Configure private DNS zone group to override the DNS resolution for a sqlServer groupID private endpoint.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "Microsoft.Sql/servers" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "sqlServer" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/privateDnsZoneConfigs[*].privateDnsZoneId", + "equals": "[parameters('privateDnsZoneId')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "privateDnsZone", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + }, + "name": "DINE-SQL-Dns" + } + ] } }, "resources": [ @@ -308,9 +434,32 @@ "synapsePrivateDnsZoneId": { "type": "string", "defaultValue": "" + }, + "sqlPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "sqlPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" } }, "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "DINE-SQL-Dns", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('sqlPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('sqlPrivateDnsZoneId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", "policyDefinitionReferenceId": "Dine-Synapse-Private-Dns-Zone", From bc3f143b95ef4712855122cb1092a6c620186d09 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Thu, 2 Mar 2023 12:26:43 +0100 Subject: [PATCH 54/56] updated compliant services --- ...pliant-AppServicesPolicySetDefinition.json | 50 ++++++++- .../Compliant-ComputePolicySetDefinition.json | 75 ++++++------- .../referenceImplementations/fsiPortalV2.json | 105 ++++++++---------- 3 files changed, 130 insertions(+), 100 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json index 198a0361..baf93543 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-AppServicesPolicySetDefinition.json @@ -4,7 +4,7 @@ "parameters": { "topLevelManagementGroupPrefix": { "type": "string", - "defaultValue": "FSIDemo" + "defaultValue": "Dublin" } }, "variables": { @@ -586,6 +586,10 @@ "type": "string", "defaultValue": "Deny" }, + "functionAppsDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, "appServiceDisablePublicNetworkAccess": { "type": "string", "defaultValue": "Deny" @@ -610,6 +614,10 @@ "type": "string", "defaultValue": "Modify" }, + "appServiceAppModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, "appServiceSkuPl": { "type": "string", "defaultValue": "Deny" @@ -650,6 +658,10 @@ "type": "string", "defaultValue": "Deny" }, + "appServiceAppsRfc": { + "type": "string", + "defaultValue": "Deny" + }, "appServiceAppSlotsHttps": { "type": "string", "defaultValue": "Deny" @@ -828,6 +840,18 @@ } } }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", + "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", @@ -900,6 +924,18 @@ } } }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", + "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRfc')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", "policyDefinitionReferenceId": "Deny-AppService-Tls", @@ -1094,6 +1130,18 @@ } } }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "policyDefinitionReferenceId": "Deny-FunctionApps-Public", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('functionAppsDisablePublicNetworkAccess')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", "policyDefinitionReferenceId": "Deny-AppService-Public", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json index 5b0285ff..ae2d0864 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-ComputePolicySetDefinition.json @@ -4,12 +4,11 @@ "parameters": { "topLevelManagementGroupPrefix": { "type": "string", - "defaultValue": "FSIDemo" + "defaultValue": "Dublin" } }, "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", - // Use the following array to add custom policy property bags and resource names which will be required for secure-by-default initiatives "policies": { "policyDefinitions": [ { @@ -18,47 +17,47 @@ "mode": "Indexed", "description": "Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc.", "metadata": { - "version": "2.0.0", - "category": "Compute" + "version": "2.0.0", + "category": "Compute" }, "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "The effect determines what happens when the policy rule is evaluated to match" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } }, "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Compute/disks" - }, - { - "field": "Microsoft.Compute/disks/networkAccessPolicy", - "notIn": [ - "DenyAll", - "AllowPrivate" + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/networkAccessPolicy", + "notIn": [ + "DenyAll", + "AllowPrivate" + ] + }, + { + "field": "Microsoft.Compute/disks/publicNetworkAccess", + "notEquals": "Disabled" + } ] }, - { - "field": "Microsoft.Compute/disks/publicNetworkAccess", - "notEquals": "Disabled" + "then": { + "effect": "[[parameters('effect')]" } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } } }, "name": "Deny-Disk-Public-Endpoint" @@ -143,7 +142,7 @@ "defaultValue": "Deny" } }, - "policyDefinitions": [ + "policyDefinitions": [ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", @@ -155,7 +154,7 @@ "value": "[[parameters('vmAndVmssEncryptionHost')]" } } - }, + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 9b6c1ef1..86bc018e 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -569,21 +569,18 @@ "Cosmos DB", "Data Explorer", "Data Factory", - "Key Vault", - "Kubernetes", - "SQL", - "Service Bus", - "Postgre SQL", - "Open AI", "Event Grid", "Event Hub", - "Databricks", - "Stream Analytics", - "Networking", + "Key Vault", + "Kubernetes", + "Machine Learning", + "Networking", + "Open AI", + "Postgre SQL", + "Service Bus", + "SQL", "Storage Account", - "Synapse", - "Virtual Machine", - "Machine Learning" + "Synapse" ], "toolTip": "", "multiselect": true, @@ -634,36 +631,6 @@ "description": "Azure policies will ensure secure by-default compliance for Container Registry, enforce access via private endpoints, encyrption of variables and centralized authorization.", "value": "ContainerRegistry" }, - { - "label": "Key Vault", - "description": "Azure policies will ensure secure by-default compliance for Key Vaults, secrets, keys, and certificates, enforce access via private endpoints, purge protection, and centralized logging.", - "value": "KeyVault" - }, - { - "label": "Kubernetes", - "description": "Azure policies will ensure secure by-default compliance for Kubernetes (AKS), secrets, keys, and certificates, enforce access via private endpoints, centralized authorization and governance, and centralized logging.", - "value": "Kubernetes" - }, - { - "label": "Postgre SQL", - "description": "Azure policies will ensure secure by-default compliance for Postgre SQL, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", - "value": "PostgreSql" - }, - { - "label": "SQL", - "description": "Azure policies will ensure secure by-default compliance for SQL servers and SQL databases, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", - "value": "Sql" - }, - { - "label": "Service Bus", - "description": "Azure policies will ensure secure by-default compliance for Service Bus, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", - "value": "ServiceBus" - }, - { - "label": "Synapse", - "description": "Azure policies will ensure secure by-default compliance for Synapse, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", - "value": "Synapse" - }, { "label": "Cosmos DB", "description": "Azure policies will ensure secure by-default compliance for Cosmos DB, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", @@ -679,16 +646,6 @@ "description": "Azure policies will ensure secure by-default compliance for Data Factory, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", "value": "DataFactory" }, - { - "label": "Machine Learning", - "description": "Azure policies will ensure secure by-default compliance for Machine Learning, enforce access via private endpoints, centralized authorization, and centralized logging.", - "value": "MachineLearning" - }, - { - "label": "Open AI", - "description": "Azure policies will ensure secure by-default compliance for Open AI, enforce access via private endpoints, centralized authorization, and centralized logging.", - "value": "OpenAi" - }, { "label": "Event Grid", "description": "Azure policies will ensure secure by-default compliance for Event Grid, enforce access via private endpoints, centralized authorization, and centralized logging.", @@ -700,29 +657,55 @@ "value": "EventHub" }, { - "label": "Databricks", - "description": "Azure policies will ensure secure by-default compliance for Databricks by requiring premium SKU that enforce access via private endpoints, centralized authorization, and centralized logging.", - "value": "Databricks" + "label": "Key Vault", + "description": "Azure policies will ensure secure by-default compliance for Key Vaults, secrets, keys, and certificates, enforce access via private endpoints, purge protection, and centralized logging.", + "value": "KeyVault" }, { - "label": "Stream Analytics", - "description": "Azure policies will ensure secure by-default compliance for Stream Analytics, enforce access via private endpoints, centralized authorization, and centralized logging.", - "value": "StreamAnalytics" + "label": "Kubernetes", + "description": "Azure policies will ensure secure by-default compliance for Kubernetes (AKS), secrets, keys, and certificates, enforce access via private endpoints, centralized authorization and governance, and centralized logging.", + "value": "Kubernetes" + }, + { + "label": "Machine Learning", + "description": "Azure policies will ensure secure by-default compliance for Machine Learning, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "MachineLearning" }, { "label": "Networking", "description": "Azure policies will ensure secure by-default compliance for Networking, such as enforcement of strong protocols, encryption, advanced threat protection, communication paths, and logging.", "value": "Networking" }, + + { + "label": "Open AI", + "description": "Azure policies will ensure secure by-default compliance for Open AI, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "OpenAi" + }, + { + "label": "Postgre SQL", + "description": "Azure policies will ensure secure by-default compliance for Postgre SQL, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", + "value": "PostgreSql" + }, + { + "label": "Service Bus", + "description": "Azure policies will ensure secure by-default compliance for Service Bus, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "ServiceBus" + }, + { + "label": "SQL", + "description": "Azure policies will ensure secure by-default compliance for SQL servers and SQL databases, enforce access via private endpoints, centralized authorization, advanced threat protection and centralized logging.", + "value": "Sql" + }, { "label": "Storage Account", "description": "Azure policies will ensure secure by-default compliance for Storage Accounts, such as enforcement of strong protocols, encryption, access via private endpoint, centralized authorization using Azure AD, and centralized logging.", "value": "StorageAccount" }, { - "label": "Virtual Machine", - "description": "Azure policies will ensure secure by-default compliance for Virtual Machines, such as enforcement of strong protocols, encryption, access via private and secure networks, centralized authorization using Azure AD, and centralized security logging.", - "value": "VMs" + "label": "Synapse", + "description": "Azure policies will ensure secure by-default compliance for Synapse, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", + "value": "Synapse" } ], "required": false From 179c38a9f808b86fbad56b84394848f8300ee98b Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Thu, 2 Mar 2023 12:42:12 +0100 Subject: [PATCH 55/56] Fix bug --- .../Compliant-CorpLzPolicySetDefinition.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json index bd7b0ad1..402475dc 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json @@ -77,7 +77,7 @@ "allOf": [ { "field": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/privateDnsZoneConfigs[*].privateDnsZoneId", - "equals": "[parameters('privateDnsZoneId')]" + "equals": "[[parameters('privateDnsZoneId')]" } ] }, @@ -100,16 +100,16 @@ }, "resources": [ { - "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2020-03-01", - "location": "[parameters('location')]", + "location": "[[parameters('location')]", "properties": { "privateDnsZoneConfigs": [ { "name": "privateDnsZone", "properties": { - "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" } } ] @@ -119,13 +119,13 @@ }, "parameters": { "privateDnsZoneId": { - "value": "[parameters('privateDnsZoneId')]" + "value": "[[parameters('privateDnsZoneId')]" }, "privateEndpointName": { - "value": "[field('name')]" + "value": "[[field('name')]" }, "location": { - "value": "[field('location')]" + "value": "[[field('location')]" } } } From b83d7052424837e6268bd91009d5b643f1d6b461 Mon Sep 17 00:00:00 2001 From: Kristian Nese Date: Thu, 2 Mar 2023 18:49:02 +0100 Subject: [PATCH 56/56] adding AVD --- .../Compliant-CorpLzPolicyAssignment.json | 42 ++ ...pliant-VirtualDesktopPolicyAssignment.json | 126 ++++ .../Compliant-CorpLzPolicySetDefinition.json | 63 +- ...ant-VirtualDesktopPolicySetDefinition.json | 603 ++++++++++++++++++ .../referenceImplementations/fsiPortalV2.json | 8 +- .../industryArmV2.json | 95 ++- 6 files changed, 932 insertions(+), 5 deletions(-) create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json create mode 100644 foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json index 3f70ab0c..170dfb8d 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-CorpLzPolicyAssignment.json @@ -249,6 +249,30 @@ "type": "string", "defaultValue": "" }, + "avdHostPoolPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "connection" + }, + "avdWorkspacePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspacePrivateEndpointGroupId": { + "type": "string", + "defaultValue": "feed" + }, "userAssignedIdentityResourceId": { "type": "string", "defaultValue": "" @@ -282,6 +306,24 @@ "policyDefinitionId": "[variables('policyDefinitions').compliantCorpLz]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { + "avdHostPoolPrivateDnsZone": { + "value": "[parameters('avdHostPoolPrivateDnsZone')]" + }, + "avdHostPoolPrivateDnsZoneId": { + "value": "[parameters('avdHostPoolPrivateDnsZoneId')]" + }, + "avdHostPoolPrivateEndpointGroupId": { + "value": "[parameters('avdHostPoolPrivateEndpointGroupId')]" + }, + "avdWorkspacePrivateDnsZone": { + "value": "[parameters('avdWorkspacePrivateDnsZone')]" + }, + "avdWorkspacePrivateDnsZoneId": { + "value": "[parameters('avdWorkspacePrivateDnsZoneId')]" + }, + "avdWorkspacePrivateEndpointGroupId": { + "value": "[parameters('avdWorkspacePrivateEndpointGroupId')]" + }, "storageTablePrivateDnsZone": { "value": "[parameters('storageTablePrivateDnsZone')]" }, diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json new file mode 100644 index 00000000..c8c1480b --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json @@ -0,0 +1,126 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdAppGroupDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspaceDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "userAssignedIdentityResourceId": { + "type": "string" + } + }, + "variables": { + "policyDefinitions": { + "compliantAvd": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Compliant-AVD')]" + }, + "policyAssignmentNames": { + "avd": "Compliant-AVD", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per FSI Landing Zones", + "displayName": "Enforce secure-by-default Virtual Desktop for Financial Services Industry" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').avd]", + "location": "[deployment().location]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[parameters('userAssignedIdentityResourceId')]": {} + } + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').compliantAvd]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "avdHostPoolPublicNetworkAccess": { + "value": "[parameters('avdHostPoolPublicNetworkAccess')]" + }, + "avdHostPoolModifyPublicNetworkAccess": { + "value": "[parameters('avdHostPoolModifyPublicNetworkAccess')]" + }, + "avdWorkspacePublicNetworkAccess": { + "value": "[parameters('avdWorkspacePublicNetworkAccess')]" + }, + "avdWorkspaceModifyPublicNetworkAccess": { + "value": "[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + }, + "avdAppGroupDiagnostics": { + "value": "[parameters('avdAppGroupDiagnostics')]" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "value": "[parameters('avdAppGroupLogAnalyticsWorkspaceId')]" + }, + "avdHostPoolDiagnostics": { + "value": "[parameters('avdHostPoolDiagnostics')]" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "value": "[parameters('avdHostPoolLogAnalyticsWorkspaceId')]" + }, + "avdWorkspaceDiagnostics": { + "value": "[parameters('avdWorkspaceDiagnostics')]" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "value": "[parameters('avdWorkspaceLogAnalyticsWorkspaceId')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json index 08728bb7..d2aac8b9 100644 --- a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-CorpLzPolicySetDefinition.json @@ -10,7 +10,8 @@ "variables": { "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", "policies": { - "policyDefinitions": [] + "policyDefinitions": [ + ] } }, "resources": [ @@ -308,9 +309,69 @@ "synapsePrivateDnsZoneId": { "type": "string", "defaultValue": "" + }, + "avdHostPoolPrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolPrivateEndpointGroupId": { + "type": "string", + "defaultValue": "connection" + }, + "avdWorkspacePrivateDnsZone": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspacePrivateEndpointGroupId": { + "type": "string", + "defaultValue": "feed" } }, "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "policyDefinitionReferenceId": "Dine-Workspace-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('avdWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('avdWorkspacePrivateEndpointGroupId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "policyDefinitionReferenceId": "Dine-Hostpool-DNS-Zone", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostpoolPrivateDnsZone')]" + }, + "privateDnsZoneId": { + "value": "[[parameters('avdHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "[[parameters('avdHostpoolPrivateEndpointGroupId')]" + } + } + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", "policyDefinitionReferenceId": "Dine-Synapse-Private-Dns-Zone", diff --git a/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json new file mode 100644 index 00000000..6fe6861e --- /dev/null +++ b/foundations/azure/referenceImplementations/core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json @@ -0,0 +1,603 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "redm" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-avdAppGroup" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-avdHostPool" + }, + { + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + } + } + } + } + }, + "name": "Dine-Diagnostics-avdWorkspace" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "name": "Compliant-AVD", + "dependsOn": [ + "policyDefinitionCopy" + ], + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization" + }, + "displayName": "Enforce secure-by-default Virtual Desktop for Financial Services Industry", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per FSI Landing Zones", + "policyDefinitionGroups": [ + { + "name": "Encryption", + "category": "Data Protection", + "displayName": "Ensure compliance for purge protection, soft delete, and key rotation", + "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation" + }, + { + "name": "Network", + "category": "Network Security", + "displayName": "Ensure Virtual Desktop is not accessible over the public internet", + "description": "Policy to ensure Key Vault is not accessible over the public internet" + }, + { + "name": "Identity", + "category": "Identity Management", + "displayName": "Ensure usage of centralized identity and auhtorization system for Virtual Desktop", + "description": "Policy to ensure Virtual Desktop is not using local authorization" + }, + { + "name": "Logging", + "category": "Logging and Threat Detection", + "displayName": "Ensure Virtual Desktop is logging all events to Log Analytics", + "description": "Policy to ensure Virtual Desktop is logging all events to Log Analytics workspace" + } + ], + "parameters": { + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny" + }, + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify" + }, + "avdAppGroupDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdHostPoolDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + }, + "avdWorkspaceDiagnostics": { + "type": "string", + "defaultValue": "DeployIfNotExists" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-avdAppGroup", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdAppGroupDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('avdAppGroupLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-avdHostPool", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('avdHostPoolLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]", + "policyDefinitionReferenceId": "Dine-Diagnostics-avdWorkspace", + "groupNames": [ + "Logging" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceDiagnostics')]" + }, + "logAnalytics": { + "value": "[[parameters('avdWorkspaceLogAnalyticsWorkspaceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", + "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", + "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", + "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", + "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "groupNames": [ + "Network" + ], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/foundations/azure/referenceImplementations/fsiPortalV2.json b/foundations/azure/referenceImplementations/fsiPortalV2.json index 86bc018e..9f957fc4 100644 --- a/foundations/azure/referenceImplementations/fsiPortalV2.json +++ b/foundations/azure/referenceImplementations/fsiPortalV2.json @@ -580,7 +580,8 @@ "Service Bus", "SQL", "Storage Account", - "Synapse" + "Synapse", + "Virtual Desktop" ], "toolTip": "", "multiselect": true, @@ -706,6 +707,11 @@ "label": "Synapse", "description": "Azure policies will ensure secure by-default compliance for Synapse, enforce access via private endpoints, double encryption, centralized authorization, and centralized logging.", "value": "Synapse" + }, + { + "label": "Virtual Desktop", + "description": "Azure policies will ensure secure by-default compliance for Virtual Desktop, enforce access via private endpoints, centralized authorization, and centralized logging.", + "value": "DesktopVirtualization" } ], "required": false diff --git a/foundations/azure/referenceImplementations/industryArmV2.json b/foundations/azure/referenceImplementations/industryArmV2.json index 538d3ecd..12978f3b 100644 --- a/foundations/azure/referenceImplementations/industryArmV2.json +++ b/foundations/azure/referenceImplementations/industryArmV2.json @@ -694,6 +694,8 @@ "compliantStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-StoragePolicyAssignment.json')]", "compliantSynapsePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-SynapsePolicySetDefinition.json')]", "compliantSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-SynapsePolicyAssignment.json')]", + "compliantVirtualDesktopPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/Compliant-VirtualDesktopPolicySetDefinition.json')]", + "compliantVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyAssignments/Compliant-VirtualDesktopPolicyAssignment.json')]", "dataPolicyDefinitions": "[uri(deployment().properties.templateLink.uri, 'core/managementGroupTemplates/policyDefinitions/dataPolicies.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'core/subscriptionTemplates/vwan-connectivity.json')]", @@ -784,6 +786,7 @@ "compliantSqlDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Sql', variables('deploymentSuffix')), 64)]", "compliantStorageDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Storage', variables('deploymentSuffix')), 64)]", "compliantSynapseDeploymentName": "[take(concat(parameters('industry'), '-Compliant-Synapse', variables('deploymentSuffix')), 64)]", + "compliantVirtualDesktopDeploymentName": "[take(concat(parameters('industry'), '-Compliant-AVD', variables('deploymentSuffix')), 64)]", "mgmtSubscriptionPlacement": "[take(concat(parameters('industry'), '-MgmtSub', variables('deploymentSuffix')), 64)]", "policyIdentityDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentity', variables('deploymentSuffix')), 64)]", "policyIdentityRoleAssignmentDeploymentName": "[take(concat(parameters('industry'), '-PolicyIdentityRoleAssignment', variables('deploymentSuffix')), 64)]", @@ -884,6 +887,7 @@ "compliantStorageAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Storage', variables('deploymentSuffix')), 64)]", "compliantApimAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-Apim', variables('deploymentSuffix')), 64)]", "compliantAppServiceAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AppService', variables('deploymentSuffix')), 64)]", + "compliantVirtualDesktopAssignmentDeploymentName": "[take(concat(parameters('industry'), '-Enforce-Compliant-AVD', variables('deploymentSuffix')), 64)]", // Telco specific policies assignment deployments "erHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaEr', variables('deploymentSuffix')), 64)]", "pipHaPolicyAssignment": "[take(concat(parameters('industry'), '-DenyNonHaPip', variables('deploymentSuffix')), 64)]", @@ -1028,7 +1032,8 @@ "privatelink.token.botframework.com", "workspace.privatelink.azurehealthcareapis.com", "fhir.privatelink.azurehealthcareapis.com", - "dicom.privatelink.azurehealthcareapis.com" + "dicom.privatelink.azurehealthcareapis.com", + "privatelink.wvd.microsoft.com" ], "baseId": "[concat(variables('platformResourceIds').privateDnsRgResourceId, '/providers/Microsoft.Network/privateDnsZones/')]", "privateDnsPolicyParameterMapping": { @@ -1075,7 +1080,8 @@ "azureSecondaryStorageWebPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.web.core.windows.net')]", "azureStorageDfsPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]", "azureSecondaryStorageDfsPrivateDnsZoneId":"[concat(variables('baseId'), 'privatelink.dfs.core.windows.net')]", - "azureStorageFileSyncPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.afs.azure.net')]" + "azureStorageFileSyncPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.afs.azure.net')]", + "azureDesktopVirtualizationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.microsoft.com')]" }, "roleDefinitions": { @@ -1734,6 +1740,30 @@ } } }, + { + // Deploying Compliant Virtual Desktop PolicySetDefinition + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').compliantVirtualDesktopDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('industryPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantVirtualDesktopPolicySetDefinition]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + } + } + } + }, { // Deploying custom data policies "type": "Microsoft.Resources/deployments", @@ -4107,6 +4137,18 @@ "topLevelManagementGroupPrefix": { "value": "[parameters('industryPrefix')]" }, + "avdHostPoolPrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdHostPoolPrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), variables('privateDnsPolicyParameterMapping').azureDesktopVirtualizationPrivateDnsZoneId, '')]" + }, + "avdWorkspacePrivateDnsZone": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdWorkspacePrivateDnsZoneId": { + "value": "[if(contains(parameters('compliantAzureServices'), 'DesktopVirtualization'), variables('privateDnsPolicyParameterMapping').azureDesktopVirtualizationPrivateDnsZoneId, '')]" + }, "storageTablePrivateDnsZone": { "value": "[if(contains(parameters('compliantAzureServices'), 'StorageAccount'), 'DeployIfNotExists', 'Disabled')]" }, @@ -4325,7 +4367,54 @@ } } } - }, + }, + { // Creating Policy Assignment Virtual Desktop to Landing Zone scope + "condition": "[contains(parameters('compliantAzureServices'), 'DesktopVirtualization')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "location": "[if(empty(parameters('location')), deployment().location, parameters('location'))]", + "name": "[variables('deploymentNames').compliantVirtualDesktopAssignmentDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyIdentityRoleAssignmentDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').compliantVirtualDesktopDeploymentName)]", + "dnsZones", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').compliantVirtualDesktopPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('industryPrefix')]" + }, + "avdAppGroupDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdAppGroupLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "avdHostPoolDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdHostPoolLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "avdWorkspaceDiagnostics": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), 'DeployIfNotExists', 'Disabled')]" + }, + "avdWorkspaceLogAnalyticsWorkspaceId": { + "value": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), variables('platformResourceIds').logAnalyticsResourceId, '')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + } + } + } + }, /* The following section will optionally configure the governance for the Identity management group for the platform */