зеркало из https://github.com/Azure/ALZ-Bicep.git
feat: Policy Refresh Q1 FY25 (#806)
* Update Policy Library (automated) * Update Policy Library (automated) * Change monitor policy names to avoid confusion * Update Policy Library (automated) * feat: Update Policy Library (automated) * feat: Update Policy Library (automated) * Updated json values for custompolicydefinitions * Remove duplicate AKS Assignment and create subnet private assignment * Added param and logic for category of resource logs * Generate Parameter Markdowns [oZakari/c375e413] * feat: Update Policy Library (automated) --------- Co-authored-by: github-actions <action@github.com> Co-authored-by: Zach Trocinski <ztrocinski@outlook.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
This commit is contained in:
cae-pr-creator[bot]
GitHub
Родитель
c375e41332
Коммит
3f3d38f24c
|
|
@ -65,6 +65,9 @@ param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus'
|
|||
@description('Resource ID of Log Analytics Workspace.')
|
||||
param parLogAnalyticsWorkspaceResourceId string = ''
|
||||
|
||||
@sys.description('Category of logs for supported resource logging for Log Analytics Workspace.')
|
||||
param parLogAnalyticsWorkspaceResourceCategory string = 'allLogs'
|
||||
|
||||
@description('Resource ID for VM Insights Data Collection Rule.')
|
||||
param parDataCollectionRuleVMInsightsResourceId string = ''
|
||||
|
||||
|
|
@ -164,6 +167,7 @@ var varModuleDeploymentNames = {
|
|||
modPolicyAssignmentPlatformDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentPlatformDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDeleteUamiAma-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentPlatformDenyDeleteUAMIAMA: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deny-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentPlatformEnforceSubnetPrivate: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSubnetPrivate-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentPlatformEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentPlatformEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentPlatformEnforceAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-platform-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
|
|
@ -179,7 +183,6 @@ var varModuleDeploymentNames = {
|
|||
modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
|
|
@ -195,6 +198,7 @@ var varModuleDeploymentNames = {
|
|||
modPolicyAssignmentLzsDeployVmMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsDeployVmssMonitor: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVmssMonitor-Lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsDeployMdfcDefSqlAma: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcDefSqlAma-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsEnforceSubnetPrivate: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSubnetPrivate-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsEnforceAsr: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLzsAumCheckUpdates: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployEnforceAumCheckUpdates-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
|
|
@ -327,11 +331,6 @@ var varPolicyAssignmentDenyUnmanagedDisk = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployAKSPolicy = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployASCMonitoring = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')
|
||||
|
|
@ -384,6 +383,7 @@ var varPolicyAssignmentDeployPrivateDNSZones = {
|
|||
|
||||
var varPolicyAssignmentDeployResourceDiag = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038'
|
||||
conditionalDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')
|
||||
}
|
||||
|
||||
|
|
@ -422,12 +422,12 @@ var varPolicyAssignmentDeployvmHybrMonitoring = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_arc_monitor.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployVMMonitoring = {
|
||||
var varPolicyAssignmentDeployVMMonitor24 = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployVMSSMonitoring = {
|
||||
var varPolicyAssignmentDeployVMSSMonitor24 = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json')
|
||||
}
|
||||
|
|
@ -447,6 +447,11 @@ var varPolicyAssignmentEnableDDoSVNET = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentEnforceSubnetPrivate = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentEnforceACSB = {
|
||||
definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json')
|
||||
|
|
@ -739,7 +744,7 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments
|
|||
scope: managementGroup(varManagementGroupIds.intRoot)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId
|
||||
parPolicyAssignmentDefinitionId: parLogAnalyticsWorkspaceResourceCategory =~ 'allLogs' ? varPolicyAssignmentDeployResourceDiag.definitionId : varPolicyAssignmentDeployResourceDiag.conditionalDefinitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description
|
||||
|
|
@ -1030,17 +1035,17 @@ module modPolicyAssignmentPlatformDeployVmArcMonitor '../../../policy/assignment
|
|||
}
|
||||
|
||||
// Module - Policy Assignment - Deploy-VM-Monitor-24
|
||||
module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) {
|
||||
module modPolicyAssignmentPlatformDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitor24.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.platform)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmMonitor
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitor24.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitor24.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitor24.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentParameterOverrides: {
|
||||
dcrResourceId: {
|
||||
value: parDataCollectionRuleVMInsightsResourceId
|
||||
|
|
@ -1115,17 +1120,17 @@ module modPolicyAssignmentPlatformDenyDeleteUAMIAMA '../../../policy/assignments
|
|||
}
|
||||
|
||||
// Module - Policy Assignment - Deploy-VMSS-Monitor-24
|
||||
module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) {
|
||||
module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.platform)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentPlatformDeployVmssMonitor
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitor24.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentParameterOverrides: {
|
||||
dcrResourceId: {
|
||||
value: parDataCollectionRuleChangeTrackingResourceId
|
||||
|
|
@ -1144,6 +1149,21 @@ module modPolicyAssignmentPlatformDeployVmssMonitor '../../../policy/assignments
|
|||
parTelemetryOptOut: parTelemetryOptOut
|
||||
}
|
||||
}
|
||||
// Module - Policy Assignment - Enforce-Subnet-Private
|
||||
module modPolicyAssignmentPlatformEnforceSubnetPrivate '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.platform)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentPlatformEnforceSubnetPrivate
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSubnetPrivate.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.enforcementMode
|
||||
parTelemetryOptOut: parTelemetryOptOut
|
||||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Enforce-GR-KeyVault
|
||||
module modPolicyAssignmentPlatformEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) {
|
||||
|
|
@ -1459,26 +1479,6 @@ module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policy
|
|||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Deploy-AKS-Policy
|
||||
module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentIdentityRoleDefinitionIds: [
|
||||
varRbacRoleDefinitionIds.aksContributor
|
||||
varRbacRoleDefinitionIds.aksPolicyAddon
|
||||
]
|
||||
parTelemetryOptOut: parTelemetryOptOut
|
||||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Deny-Priv-Escalation-AKS
|
||||
module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||
|
|
@ -1725,17 +1725,17 @@ module modPolicyAssignmentLzsDeployVmArcMonitor '../../../policy/assignments/pol
|
|||
}
|
||||
|
||||
// Module - Policy Assignment - Deploy-VM-Monitor-24
|
||||
module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) {
|
||||
module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitor24.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmMonitor
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitor24.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitor24.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitor24.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitor24.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentParameterOverrides: {
|
||||
dcrResourceId: {
|
||||
value: parDataCollectionRuleVMInsightsResourceId
|
||||
|
|
@ -1756,17 +1756,17 @@ module modPolicyAssignmentLzsDeployVmMonitor '../../../policy/assignments/policy
|
|||
}
|
||||
|
||||
// Module - Policy Assignment - Deploy-VMSS-Monitor-24
|
||||
module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) {
|
||||
module modPolicyAssignmentLzsDeployVmssMonitor '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmssMonitor
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitor24.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitor24.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitor24.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentParameterOverrides: {
|
||||
dcrResourceId: {
|
||||
value: parDataCollectionRuleChangeTrackingResourceId
|
||||
|
|
@ -1817,6 +1817,22 @@ module modPolicyAssignmentLzsmDeployMdfcDefSqlAma '../../../policy/assignments/p
|
|||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Enforce-Subnet-Private
|
||||
module modPolicyAssignmentLzsEnforceSubnetPrivate '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceSubnetPrivate
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSubnetPrivate.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSubnetPrivate.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSubnetPrivate.libDefinition.properties.enforcementMode
|
||||
parTelemetryOptOut: parTelemetryOptOut
|
||||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Enforce-GR-KeyVault
|
||||
module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) {
|
||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ parLandingZoneChildrenMgAlzDefaultsEnable | No | Assign policies to Corp &
|
|||
parLandingZoneMgConfidentialEnable | No | Assign policies to Confidential Corp and Online groups under Landing Zones.
|
||||
parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | Location of Log Analytics Workspace & Automation Account.
|
||||
parLogAnalyticsWorkspaceResourceId | No | Resource ID of Log Analytics Workspace.
|
||||
parLogAnalyticsWorkspaceResourceCategory | No | Category of logs for supported resource logging for Log Analytics Workspace.
|
||||
parDataCollectionRuleVMInsightsResourceId | No | Resource ID for VM Insights Data Collection Rule.
|
||||
parDataCollectionRuleChangeTrackingResourceId | No | Resource ID for Change Tracking Data Collection Rule.
|
||||
parDataCollectionRuleMDFCSQLResourceId | No | Resource ID for MDFC SQL Data Collection Rule.
|
||||
|
|
@ -101,6 +102,14 @@ Location of Log Analytics Workspace & Automation Account.
|
|||
|
||||
Resource ID of Log Analytics Workspace.
|
||||
|
||||
### parLogAnalyticsWorkspaceResourceCategory
|
||||
|
||||
|
||||
|
||||
Category of logs for supported resource logging for Log Analytics Workspace.
|
||||
|
||||
- Default value: `allLogs`
|
||||
|
||||
### parDataCollectionRuleVMInsightsResourceId
|
||||
|
||||
|
||||
|
|
@ -265,6 +274,9 @@ Opt out of deployment telemetry.
|
|||
"parLogAnalyticsWorkspaceResourceId": {
|
||||
"value": ""
|
||||
},
|
||||
"parLogAnalyticsWorkspaceResourceCategory": {
|
||||
"value": "allLogs"
|
||||
},
|
||||
"parDataCollectionRuleVMInsightsResourceId": {
|
||||
"value": ""
|
||||
},
|
||||
|
|
|
|||
|
|
@ -68,7 +68,6 @@ var varModuleDeploymentNames = {
|
|||
modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64)
|
||||
|
|
@ -129,11 +128,6 @@ var varPolicyAssignmentDenySubnetWithoutNsg = {
|
|||
libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json'))
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployAKSPolicy = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7'
|
||||
libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json'))
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployASCMonitoring = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
|
||||
libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json'))
|
||||
|
|
@ -585,25 +579,6 @@ module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policy
|
|||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Deploy-AKS-Policy
|
||||
module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
||||
scope: managementGroup(varManagementGroupIDs.landingZones)
|
||||
name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy
|
||||
params: {
|
||||
parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId
|
||||
parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name
|
||||
parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName
|
||||
parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description
|
||||
parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters
|
||||
parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type
|
||||
parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode
|
||||
parPolicyAssignmentIdentityRoleDefinitionIds: [
|
||||
varRBACRoleDefinitionIDs.aksContributor
|
||||
]
|
||||
parTelemetryOptOut: parTelemetryOptOut
|
||||
}
|
||||
}
|
||||
|
||||
// Module - Policy Assignment - Deny-Priv-Escalation-AKS
|
||||
module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
||||
scope: managementGroup(varManagementGroupIDs.landingZones)
|
||||
|
|
|
|||
|
|
@ -44,6 +44,9 @@
|
|||
"parLogAnalyticsWorkspaceLogRetentionInDays": {
|
||||
"value": "365"
|
||||
},
|
||||
"parLogAnalyticsWorkspaceResourceCategory": {
|
||||
"value": "allLogs"
|
||||
},
|
||||
"parDataCollectionRuleVMInsightsResourceId": {
|
||||
"value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr"
|
||||
},
|
||||
|
|
|
|||
|
|
@ -68,11 +68,6 @@ var varPolicyAssignmentDenySubnetWithoutUdr = {
|
|||
libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployAKSPolicy = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7'
|
||||
libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployASCMonitoring = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
|
||||
libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')
|
||||
|
|
|
|||
|
|
@ -1,22 +0,0 @@
|
|||
{
|
||||
"name": "Deploy-AKS-Policy",
|
||||
"type": "Microsoft.Authorization/policyAssignments",
|
||||
"apiVersion": "2019-09-01",
|
||||
"properties": {
|
||||
"description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
|
||||
"displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters",
|
||||
"notScopes": [],
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "DeployIfNotExists"
|
||||
}
|
||||
},
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7",
|
||||
"scope": null,
|
||||
"enforcementMode": "Default"
|
||||
},
|
||||
"location": null,
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
}
|
||||
}
|
||||
|
|
@ -143,11 +143,6 @@ var varPolicyAssignmentDenyUnmanagedDisk = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployAKSPolicy = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployASCMonitoring = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')
|
||||
|
|
@ -253,7 +248,7 @@ var varPolicyAssignmentDeployVMChangeTrack = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployVMMonitoring = {
|
||||
var varPolicyAssignmentDeployVMMonitor24 = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitor.tmpl.json')
|
||||
}
|
||||
|
|
@ -263,7 +258,7 @@ var varPolicyAssignmentDeployVMSSChangeTrack = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentDeployVMSSMonitoring = {
|
||||
var varPolicyAssignmentDeployVMSSMonitor24 = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitor.tmpl.json')
|
||||
}
|
||||
|
|
@ -318,6 +313,11 @@ var varPolicyAssignmentEnforceSovereignGlobal = {
|
|||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentEnforceSubnetPrivate = {
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json')
|
||||
}
|
||||
|
||||
var varPolicyAssignmentEnforceTLSSSLH224 = {
|
||||
definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509'
|
||||
libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')
|
||||
|
|
|
|||
|
|
@ -1,22 +0,0 @@
|
|||
{
|
||||
"name": "Deploy-AKS-Policy",
|
||||
"type": "Microsoft.Authorization/policyAssignments",
|
||||
"apiVersion": "2024-04-01",
|
||||
"properties": {
|
||||
"description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
|
||||
"displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters",
|
||||
"notScopes": [],
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "DeployIfNotExists"
|
||||
}
|
||||
},
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7",
|
||||
"scope": null,
|
||||
"enforcementMode": "Default"
|
||||
},
|
||||
"location": null,
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"name": "Deploy-VM-Monitoring",
|
||||
"name": "Deploy-VM-Monitor-24",
|
||||
"type": "Microsoft.Authorization/policyAssignments",
|
||||
"apiVersion": "2024-04-01",
|
||||
"properties": {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"name": "Deploy-VMSS-Monitoring",
|
||||
"name": "Deploy-VMSS-Monitor-24",
|
||||
"type": "Microsoft.Authorization/policyAssignments",
|
||||
"apiVersion": "2024-04-01",
|
||||
"properties": {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
"name": "Enforce-Subnet-Private",
|
||||
"type": "Microsoft.Authorization/policyAssignments",
|
||||
"apiVersion": "2024-04-01",
|
||||
"properties": {
|
||||
"description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
|
||||
"displayName": "Subnets should be private",
|
||||
"notScopes": [],
|
||||
"parameters": {},
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837",
|
||||
"scope": null,
|
||||
"enforcementMode": "Default"
|
||||
},
|
||||
"location": null,
|
||||
"identity": {
|
||||
"type": "None"
|
||||
}
|
||||
}
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "AppService append sites with minimum TLS version to enforce.",
|
||||
"description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.",
|
||||
"metadata": {
|
||||
"version": "1.1.0",
|
||||
"version": "1.2.0",
|
||||
"category": "App Service",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -35,6 +35,7 @@
|
|||
"type": "String",
|
||||
"defaultValue": "1.2",
|
||||
"allowedValues": [
|
||||
"1.3",
|
||||
"1.2",
|
||||
"1.0",
|
||||
"1.1"
|
||||
|
|
@ -54,7 +55,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Web/sites/config/minTlsVersion",
|
||||
"notEquals": "[parameters('minTlsVersion')]"
|
||||
"less": "[parameters('minTlsVersion')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.",
|
||||
"description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Cache",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -56,7 +56,7 @@
|
|||
"anyOf": [
|
||||
{
|
||||
"field": "Microsoft.Cache/Redis/minimumTlsVersion",
|
||||
"notequals": "[parameters('minimumTlsVersion')]"
|
||||
"less": "[parameters('minimumTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@
|
|||
"privatelink.gremlin.cosmos.azure.com",
|
||||
"privatelink.guestconfiguration.azure.com",
|
||||
"privatelink.his.arc.azure.com",
|
||||
"privatelink.dp.kubernetesconfiguration.azure.com",
|
||||
"privatelink.kubernetesconfiguration.azure.com",
|
||||
"privatelink.managedhsm.azure.net",
|
||||
"privatelink.mariadb.database.azure.com",
|
||||
"privatelink.media.azure.net",
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Event Hub namespaces should use a valid TLS version",
|
||||
"description": "Event Hub namespaces should use a valid TLS version.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Event Hub",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -52,7 +52,7 @@
|
|||
"anyOf": [
|
||||
{
|
||||
"field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
|
||||
"notEquals": "[parameters('minTlsVersion')]"
|
||||
"less": "[parameters('minTlsVersion')]"
|
||||
},
|
||||
{
|
||||
"field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "MySQL database servers enforce SSL connections.",
|
||||
"description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -66,7 +66,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
|
||||
"notequals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Azure Cache for Redis only secure connections should be enabled",
|
||||
"description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Cache",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -41,7 +41,7 @@
|
|||
"1.0"
|
||||
],
|
||||
"metadata": {
|
||||
"displayName": "Select minumum TLS version for Azure Cache for Redis.",
|
||||
"displayName": "Select minimum TLS version for Azure Cache for Redis.",
|
||||
"description": "Select minimum TLS version for Azure Cache for Redis."
|
||||
}
|
||||
}
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Cache/Redis/minimumTlsVersion",
|
||||
"notequals": "[parameters('minimumTlsVersion')]"
|
||||
"less": "[parameters('minimumTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Azure SQL Database should have the minimal TLS version set to the highest version",
|
||||
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Sql/servers/minimalTlsVersion",
|
||||
"notequals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,9 +7,9 @@
|
|||
"policyType": "Custom",
|
||||
"mode": "Indexed",
|
||||
"displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version",
|
||||
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
|
||||
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
|
||||
"notequals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Deny vNet peering cross subscription.",
|
||||
"description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
|
||||
"metadata": {
|
||||
"version": "1.0.1",
|
||||
"version": "1.1.0",
|
||||
"category": "Network",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -31,6 +31,14 @@
|
|||
"Disabled"
|
||||
],
|
||||
"defaultValue": "Deny"
|
||||
},
|
||||
"allowedVnets": {
|
||||
"type": "Array",
|
||||
"metadata": {
|
||||
"displayName": "Allowed vNets to peer with",
|
||||
"description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
|
||||
},
|
||||
"defaultValue": []
|
||||
}
|
||||
},
|
||||
"policyRule": {
|
||||
|
|
@ -41,8 +49,16 @@
|
|||
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
|
||||
},
|
||||
{
|
||||
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
|
||||
"notcontains": "[subscription().id]"
|
||||
"allOf": [
|
||||
{
|
||||
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
|
||||
"notIn": "[parameters('allowedVnets')]"
|
||||
},
|
||||
{
|
||||
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
|
||||
"notLike": "[concat(subscription().id, '/*')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
|
||||
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
|
||||
"metadata": {
|
||||
"version": "1.1.0",
|
||||
"version": "1.2.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
|
||||
"notequals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ",
|
||||
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
|
||||
"metadata": {
|
||||
"version": "1.1.0",
|
||||
"version": "1.2.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -61,7 +61,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion",
|
||||
"notEquals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Deploy-Private-DNS-Generic",
|
||||
"description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "2.0.0",
|
||||
"category": "Networking",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -34,8 +34,8 @@
|
|||
"privateDnsZoneId": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Private DNS Zone ID for Paas services",
|
||||
"description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.",
|
||||
"displayName": "Private DNS Zone ID for PaaS services",
|
||||
"description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.",
|
||||
"strongType": "Microsoft.Network/privateDnsZones",
|
||||
"assignPermissions": true
|
||||
}
|
||||
|
|
@ -61,11 +61,24 @@
|
|||
"description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists"
|
||||
},
|
||||
"defaultValue": "PT10M"
|
||||
},
|
||||
"location": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Location (Specify the Private Endpoint location)",
|
||||
"description": "Specify the Private Endpoint location",
|
||||
"strongType": "location"
|
||||
},
|
||||
"defaultValue": "northeurope"
|
||||
}
|
||||
},
|
||||
"policyRule": {
|
||||
"if": {
|
||||
"allOf": [
|
||||
{
|
||||
"field": "location",
|
||||
"equals": "[parameters('location')]"
|
||||
},
|
||||
{
|
||||
"field": "type",
|
||||
"equals": "Microsoft.Network/privateEndpoints"
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "SQL servers deploys a specific min TLS version requirement.",
|
||||
"description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
|
||||
"metadata": {
|
||||
"version": "1.1.0",
|
||||
"version": "1.2.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -54,7 +54,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Sql/servers/minimalTlsVersion",
|
||||
"notequals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "SQL managed instances deploy a specific min TLS version requirement.",
|
||||
"description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
|
||||
"metadata": {
|
||||
"version": "1.2.0",
|
||||
"version": "1.3.0",
|
||||
"category": "SQL",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -54,7 +54,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
|
||||
"notequals": "[parameters('minimalTlsVersion')]"
|
||||
"less": "[parameters('minimalTlsVersion')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
"displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ",
|
||||
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.",
|
||||
"metadata": {
|
||||
"version": "1.2.0",
|
||||
"version": "1.3.0",
|
||||
"category": "Storage",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -60,7 +60,7 @@
|
|||
},
|
||||
{
|
||||
"field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
|
||||
"notEquals": "[parameters('minimumTlsVersion')]"
|
||||
"less": "[parameters('minimumTlsVersion')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -839,7 +839,7 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
}
|
||||
{
|
||||
definitionReferenceId: 'defenderForCspm'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21'
|
||||
definitionParameters: varPolicySetDefinitionEsDeployMDFCConfig_20240319Parameters.defenderForCspm.parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
|
|
@ -1671,6 +1671,12 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-Backup-Cmk'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-BotService-Cmk'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters['Deny-BotService-Cmk'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-CognitiveSearch-Cmk'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f'
|
||||
|
|
@ -2393,10 +2399,58 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
}
|
||||
]
|
||||
}
|
||||
{
|
||||
name: 'Enforce-Guardrails-BotService'
|
||||
libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.json')
|
||||
libSetChildDefinitions: [
|
||||
{
|
||||
definitionReferenceId: 'Audit-BotService-Private-Link'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Audit-BotService-Private-Link'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-BotService-Isolated-Mode'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Isolated-Mode'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-BotService-Local-Auth'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Local-Auth'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-BotService-Valid-Uri'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters['Deny-BotService-Valid-Uri'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
]
|
||||
}
|
||||
{
|
||||
name: 'Enforce-Guardrails-CognitiveServices'
|
||||
libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.json')
|
||||
libSetChildDefinitions: [
|
||||
{
|
||||
definitionReferenceId: 'Aine-Cognitive-Services-Resource-Logs'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Aine-Cognitive-Services-Resource-Logs'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-Cognitive-Services-Customer-Storage'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Customer-Storage'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-Cognitive-Services-Managed-Identity'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-Cognitive-Services-Managed-Identity'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-CognitiveSearch-SKU'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83'
|
||||
|
|
@ -2409,6 +2463,12 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Deny-CongitiveSearch-LocalAuth'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters['Modify-Cognitive-Services-Local-Auth'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Modify-Cognitive-Services-Public-Network-Access'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c'
|
||||
|
|
@ -3051,6 +3111,60 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
name: 'Enforce-Guardrails-MachineLearning'
|
||||
libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-MachineLearning.json')
|
||||
libSetChildDefinitions: [
|
||||
{
|
||||
definitionReferenceId: 'Aine-ML-Resource-Logs'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Aine-ML-Resource-Logs'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Audit-ML-Private-Link'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Private-Link'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Audit-ML-Virtual-Network'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Audit-ML-Virtual-Network'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Allowed-Module'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Module'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Allowed-Python'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Python'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Allowed-Registries'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registries'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Allowed-Registry-Deploy'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Allowed-Registry-Deploy'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Idle-Shutdown'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Idle-Shutdown'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Legacy-Mode'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsMachineLearningParameters['Deny-ML-Legacy-Mode'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-ML-Local-Auth'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f'
|
||||
|
|
@ -3243,6 +3357,24 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
name: 'Enforce-Guardrails-OpenAI'
|
||||
libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-OpenAI.json')
|
||||
libSetChildDefinitions: [
|
||||
{
|
||||
definitionReferenceId: 'Aine-AzureAI-Diag-Settings'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Aine-AzureAI-Diag-Settings'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Audit-AzureAI-Private-Link'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Audit-AzureAI-Private-Link'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-AzureAI-Network-Access'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-AzureAI-Network-Access'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Deny-Cognitive-Services-Cust-Storage'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515'
|
||||
|
|
@ -3273,6 +3405,18 @@ var varCustomPolicySetDefinitionsArray = [
|
|||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Deny-OpenAi-OutboundNetworkAccess'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Dine-AzureAI-Local-Key'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Dine-AzureAI-Local-Key2'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30'
|
||||
definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsOpenAIParameters['Dine-AzureAI-Local-Key2'].parameters
|
||||
definitionGroups: []
|
||||
}
|
||||
{
|
||||
definitionReferenceId: 'Modify-Cognitive-Services-Local-Auth'
|
||||
definitionId: '/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555'
|
||||
|
|
@ -3624,6 +3768,8 @@ var varPolicySetDefinitionEsEnforceGuardrailsAppServicesParameters = loadJsonCon
|
|||
|
||||
var varPolicySetDefinitionEsEnforceGuardrailsAutomationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Automation.parameters.json')
|
||||
|
||||
var varPolicySetDefinitionEsEnforceGuardrailsBotServiceParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-BotService.parameters.json')
|
||||
|
||||
var varPolicySetDefinitionEsEnforceGuardrailsCognitiveServicesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-CognitiveServices.parameters.json')
|
||||
|
||||
var varPolicySetDefinitionEsEnforceGuardrailsComputeParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-Compute.parameters.json')
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Deploy Microsoft Defender for Cloud configuration",
|
||||
"description": "Deploy Microsoft Defender for Cloud configuration",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "2.1.0",
|
||||
"category": "Security Center",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"replacesPolicy": "Deploy-MDFC-Config",
|
||||
|
|
@ -59,6 +59,18 @@
|
|||
"description": "The location where the resource group and the export to Log Analytics workspace configuration are created."
|
||||
}
|
||||
},
|
||||
"createResourceGroup": {
|
||||
"type": "Boolean",
|
||||
"metadata": {
|
||||
"displayName": "Create resource group",
|
||||
"description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
|
||||
},
|
||||
"defaultValue": true,
|
||||
"allowedValues": [
|
||||
true,
|
||||
false
|
||||
]
|
||||
},
|
||||
"enableAscForCosmosDbs": {
|
||||
"type": "String",
|
||||
"allowedValues": [
|
||||
|
|
@ -355,7 +367,7 @@
|
|||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "defenderForCspm",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('enableAscForCspm')]"
|
||||
|
|
@ -386,6 +398,9 @@
|
|||
"resourceGroupLocation": {
|
||||
"value": "[[parameters('ascExportResourceGroupLocation')]"
|
||||
},
|
||||
"createResourceGroup": {
|
||||
"value": "[[parameters('createResourceGroup')]"
|
||||
},
|
||||
"workspaceResourceId": {
|
||||
"value": "[[parameters('logAnalytics')]"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@
|
|||
"resourceGroupLocation": {
|
||||
"value": "[[parameters('ascExportResourceGroupLocation')]"
|
||||
},
|
||||
"createResourceGroup": {
|
||||
"value": "[[parameters('createResourceGroup')]"
|
||||
},
|
||||
"workspaceResourceId": {
|
||||
"value": "[[parameters('logAnalytics')]"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1430,13 +1430,13 @@
|
|||
"policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9",
|
||||
"parameters": {
|
||||
"privateDnsZoneIdForGuestConfiguration": {
|
||||
"privateDnsZoneIDForGuestConfiguration": {
|
||||
"value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]"
|
||||
},
|
||||
"privateDnsZoneIdForHybridResourceProvider": {
|
||||
"privateDnsZoneIDForHybridResourceProvider": {
|
||||
"value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]"
|
||||
},
|
||||
"privateDnsZoneIdForKubernetesConfiguration": {
|
||||
"privateDnsZoneIDForKubernetesConfiguration": {
|
||||
"value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]"
|
||||
},
|
||||
"effect": {
|
||||
|
|
|
|||
|
|
@ -31,13 +31,13 @@
|
|||
},
|
||||
"DINE-Private-DNS-Azure-Arc": {
|
||||
"parameters": {
|
||||
"privateDnsZoneIdForGuestConfiguration": {
|
||||
"privateDnsZoneIDForGuestConfiguration": {
|
||||
"value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]"
|
||||
},
|
||||
"privateDnsZoneIdForHybridResourceProvider": {
|
||||
"privateDnsZoneIDForHybridResourceProvider": {
|
||||
"value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]"
|
||||
},
|
||||
"privateDnsZoneIdForKubernetesConfiguration": {
|
||||
"privateDnsZoneIDForKubernetesConfiguration": {
|
||||
"value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]"
|
||||
},
|
||||
"effect": {
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@
|
|||
"effect": {
|
||||
"value": "[[parameters('effect')]"
|
||||
},
|
||||
"CheckLockedImmutabiltyOnly": {
|
||||
"checkLockedImmutabiltyOnly": {
|
||||
"value": "[[parameters('checkLockedImmutabilityOnly')]"
|
||||
}
|
||||
},
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
"effect": {
|
||||
"value": "[[parameters('effect')]"
|
||||
},
|
||||
"CheckLockedImmutabiltyOnly": {
|
||||
"checkLockedImmutabiltyOnly": {
|
||||
"value": "[[parameters('checkLockedImmutabilityOnly')]"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
|
||||
"description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
|
||||
"metadata": {
|
||||
"version": "3.0.0",
|
||||
"version": "3.1.0",
|
||||
"category": "Encryption",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -329,6 +329,18 @@
|
|||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"botServiceCmk": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"audit",
|
||||
"Deny",
|
||||
"deny",
|
||||
"Disabled",
|
||||
"disabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
"policyDefinitions": [
|
||||
|
|
@ -621,6 +633,16 @@
|
|||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-BotService-Cmk",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceCmk')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
}
|
||||
],
|
||||
"policyDefinitionGroups": null
|
||||
|
|
|
|||
|
|
@ -69,6 +69,13 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"Deny-BotService-Cmk": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceCmk')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-CognitiveSearch-Cmk": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,107 @@
|
|||
{
|
||||
"name": "Enforce-Guardrails-BotService",
|
||||
"type": "Microsoft.Authorization/policySetDefinitions",
|
||||
"apiVersion": "2021-06-01",
|
||||
"scope": null,
|
||||
"properties": {
|
||||
"policyType": "Custom",
|
||||
"displayName": "Enforce recommended guardrails for Bot Service",
|
||||
"description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"category": "Bot Service",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
"AzureCloud",
|
||||
"AzureChinaCloud",
|
||||
"AzureUSGovernment"
|
||||
]
|
||||
},
|
||||
"parameters": {
|
||||
"botServiceValidUri": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"audit",
|
||||
"Deny",
|
||||
"deny",
|
||||
"Disabled",
|
||||
"disabled"
|
||||
]
|
||||
},
|
||||
"botServiceIsolatedMode": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"audit",
|
||||
"Deny",
|
||||
"deny",
|
||||
"Disabled",
|
||||
"disabled"
|
||||
]
|
||||
},
|
||||
"botServiceLocalAuth": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"botServicePrivateLink": {
|
||||
"type": "string",
|
||||
"defaultValue": "Audit",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Disabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
"policyDefinitions": [
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-BotService-Valid-Uri",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceValidUri')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceIsolatedMode')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-BotService-Local-Auth",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceLocalAuth')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Audit-BotService-Private-Link",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServicePrivateLink')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
}
|
||||
],
|
||||
"policyDefinitionGroups": null
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
{
|
||||
"Audit-BotService-Private-Link": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServicePrivateLink')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-BotService-Isolated-Mode": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceIsolatedMode')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-BotService-Local-Auth": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceLocalAuth')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-BotService-Valid-Uri": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('botServiceValidUri')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Cognitive Services",
|
||||
"description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Cognitive Services",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -44,6 +44,14 @@
|
|||
"Disabled"
|
||||
]
|
||||
},
|
||||
"cognitiveServicesLocalAuth": {
|
||||
"type": "string",
|
||||
"defaultValue": "Modify",
|
||||
"allowedValues": [
|
||||
"Modify",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"modifyCognitiveSearchPublicEndpoint": {
|
||||
"type": "string",
|
||||
"defaultValue": "Modify",
|
||||
|
|
@ -59,6 +67,32 @@
|
|||
"Modify",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"cognitiveServicesManagedIdentity": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"cognitiveServicesCustomerStorage": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"cognitiveServicesResourceLogs": {
|
||||
"type": "string",
|
||||
"defaultValue": "AuditIfNotExists",
|
||||
"allowedValues": [
|
||||
"AuditIfNotExists",
|
||||
"Disabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
"policyDefinitions": [
|
||||
|
|
@ -111,6 +145,46 @@
|
|||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesManagedIdentity')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesCustomerStorage')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesLocalAuth')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesResourceLogs')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
}
|
||||
],
|
||||
"policyDefinitionGroups": null
|
||||
|
|
|
|||
|
|
@ -1,4 +1,25 @@
|
|||
{
|
||||
"Aine-Cognitive-Services-Resource-Logs": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesResourceLogs')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-Cognitive-Services-Customer-Storage": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesCustomerStorage')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-Cognitive-Services-Managed-Identity": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesManagedIdentity')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-CognitiveSearch-SKU": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
|
|
@ -13,6 +34,13 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"Modify-Cognitive-Services-Local-Auth": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('cognitiveServicesLocalAuth')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Modify-Cognitive-Services-Public-Network-Access": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Azure Key Vault",
|
||||
"description": "Enforce recommended guardrails for Azure Key Vault.",
|
||||
"metadata": {
|
||||
"version": "2.0.0",
|
||||
"version": "2.1.0",
|
||||
"category": "Key Vault",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -236,8 +236,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Disabled",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Kubernetes",
|
||||
"description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Kubernetes",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -81,8 +81,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
@ -90,8 +93,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
@ -99,8 +105,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
@ -117,8 +126,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
@ -126,8 +138,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
@ -144,8 +159,11 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"audit",
|
||||
"Audit",
|
||||
"deny",
|
||||
"Deny",
|
||||
"disabled",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Machine Learning",
|
||||
"description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Machine Learning",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -59,6 +59,80 @@
|
|||
"Modify",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlIdleShutdown": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlVirtualNetwork": {
|
||||
"type": "string",
|
||||
"defaultValue": "Audit",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlLegacyMode": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlPrivateLink": {
|
||||
"type": "string",
|
||||
"defaultValue": "Audit",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlResourceLogs": {
|
||||
"type": "string",
|
||||
"defaultValue": "AuditIfNotExists",
|
||||
"allowedValues": [
|
||||
"AuditIfNotExists",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlAllowedRegistryDeploy": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"mlAllowedModule": {
|
||||
"type": "string",
|
||||
"defaultValue": "enforceSetting",
|
||||
"allowedValues": [
|
||||
"enforceSetting",
|
||||
"disabled"
|
||||
]
|
||||
},
|
||||
"mlAllowedPython": {
|
||||
"type": "string",
|
||||
"defaultValue": "enforceSetting",
|
||||
"allowedValues": [
|
||||
"enforceSetting",
|
||||
"disabled"
|
||||
]
|
||||
},
|
||||
"mlAllowedRegistries": {
|
||||
"type": "string",
|
||||
"defaultValue": "enforceSetting",
|
||||
"allowedValues": [
|
||||
"enforceSetting",
|
||||
"disabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
"policyDefinitions": [
|
||||
|
|
@ -111,6 +185,96 @@
|
|||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlIdleShutdown')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Audit-ML-Virtual-Network",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlVirtualNetwork')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-ML-Legacy-Mode",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlLegacyMode')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Audit-ML-Private-Link",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlPrivateLink')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Aine-ML-Resource-Logs",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlResourceLogs')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedRegistryDeploy')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-ML-Allowed-Module",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedModule')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-ML-Allowed-Python",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedPython')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-ML-Allowed-Registries",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedRegistries')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
}
|
||||
],
|
||||
"policyDefinitionGroups": null
|
||||
|
|
|
|||
|
|
@ -1,4 +1,67 @@
|
|||
{
|
||||
"Aine-ML-Resource-Logs": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlResourceLogs')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Audit-ML-Private-Link": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlPrivateLink')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Audit-ML-Virtual-Network": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlVirtualNetwork')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Allowed-Module": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedModule')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Allowed-Python": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedPython')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Allowed-Registries": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedRegistries')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Allowed-Registry-Deploy": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlAllowedRegistryDeploy')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Idle-Shutdown": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlIdleShutdown')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Legacy-Mode": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('mlLegacyMode')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-ML-Local-Auth": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Network and Networking services",
|
||||
"description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Network",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -56,7 +56,12 @@
|
|||
},
|
||||
"vnetModifyDdos": {
|
||||
"type": "string",
|
||||
"defaultValue": "Modify"
|
||||
"defaultValue": "Modify",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Modify",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"ddosPlanResourceId": {
|
||||
"type": "string",
|
||||
|
|
@ -229,9 +234,8 @@
|
|||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
"Allow",
|
||||
"Deny"
|
||||
]
|
||||
},
|
||||
"modifyNsgRuleProtocol": {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)",
|
||||
"description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Cognitive Services",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -70,6 +70,47 @@
|
|||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"azureAiNetworkAccess": {
|
||||
"type": "string",
|
||||
"defaultValue": "Deny",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"azureAiPrivateLink": {
|
||||
"type": "string",
|
||||
"defaultValue": "Audit",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"azureAiDisableLocalKey": {
|
||||
"type": "string",
|
||||
"defaultValue": "DeployIfNotExists",
|
||||
"allowedValues": [
|
||||
"DeployIfNotExists",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"azureAiDisableLocalKey2": {
|
||||
"type": "string",
|
||||
"defaultValue": "DeployIfNotExists",
|
||||
"allowedValues": [
|
||||
"DeployIfNotExists",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
"azureAiDiagSettings": {
|
||||
"type": "string",
|
||||
"defaultValue": "AuditIfNotExists",
|
||||
"allowedValues": [
|
||||
"AuditIfNotExists",
|
||||
"Disabled"
|
||||
]
|
||||
}
|
||||
},
|
||||
"policyDefinitions": [
|
||||
|
|
@ -132,6 +173,56 @@
|
|||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Deny-AzureAI-Network-Access",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiNetworkAccess')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Audit-AzureAI-Private-Link",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiPrivateLink')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Dine-AzureAI-Local-Key",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiDisableLocalKey')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiDisableLocalKey2')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
},
|
||||
{
|
||||
"policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings",
|
||||
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb",
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiDiagSettings')]"
|
||||
}
|
||||
},
|
||||
"groupNames": []
|
||||
}
|
||||
],
|
||||
"policyDefinitionGroups": null
|
||||
|
|
|
|||
|
|
@ -1,4 +1,25 @@
|
|||
{
|
||||
"Aine-AzureAI-Diag-Settings": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiDiagSettings')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Audit-AzureAI-Private-Link": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiPrivateLink')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-AzureAI-Network-Access": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiNetworkAccess')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Deny-Cognitive-Services-Cust-Storage": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
|
|
@ -34,6 +55,20 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"Dine-AzureAI-Local-Key": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiDisableLocalKey')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Dine-AzureAI-Local-Key2": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
"value": "[[parameters('azureAiDisableLocalKey2')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Modify-Cognitive-Services-Local-Auth": {
|
||||
"parameters": {
|
||||
"effect": {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
"displayName": "Enforce recommended guardrails for Synapse workspaces",
|
||||
"description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.",
|
||||
"metadata": {
|
||||
"version": "1.0.0",
|
||||
"version": "1.1.0",
|
||||
"category": "Synapse",
|
||||
"source": "https://github.com/Azure/Enterprise-Scale/",
|
||||
"alzCloudEnvironments": [
|
||||
|
|
@ -65,7 +65,6 @@
|
|||
"defaultValue": "Audit",
|
||||
"allowedValues": [
|
||||
"Audit",
|
||||
"Deny",
|
||||
"Disabled"
|
||||
]
|
||||
},
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче