New parameter for Alzdefaults exclusions (#494)

This commit is contained in:
Ståle Johnsen 2023-04-18 11:13:51 +02:00 коммит произвёл GitHub
Родитель b958a617e1
Коммит b7f9dd9184
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 67 добавлений и 30 удалений

Просмотреть файл

@ -65,6 +65,27 @@ The steps explained in the above section to extend the [ALZ Default Policy Assig
You will also need to ensure you create unique deployment names for each policy assignment as we do in the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) in the variable named `varModuleDeploymentNames` which is referenced for each policy assignment to its associated deployment name.
## What if I want to exclude specific policy assignments from ALZ Default Policy Assignments?
If specific ALZ default policies does not fit your organization you can exclude policies from the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) by following the process below:
1. Navigate to the Policy Assignments `lib` directory:
`infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments`
2. Open the `.json` file for the policy that you want to exclude and find/copy the `name` property.
Example `"name": "Deploy-VM-Monitoring"` in `policy_assignment_es_deploy_vm_monitoring.tmpl.json`
3. Add the `name` property to the parameter array `parExcludedPolicyAssignments` in [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults)
Example:
```json
"parExcludedPolicyAssignments" : {
"value": [
"Deploy-VM-Monitoring"
]
}
```
## Support
If you have any issues or require any assistance or advice please raise a [GitHub Issue](https://github.com/Azure/ALZ-Bicep/issues/new/choose) on the repo and we will work with you to assist where possible.

Просмотреть файл

@ -40,6 +40,9 @@ param parVmBackupExclusionTagName string = ''
@sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.')
param parVmBackupExclusionTagValue array = []
@sys.description('Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments')
param parExcludedPolicyAssignments array = []
@sys.description('Set Parameter to true to Opt-out of deployment telemetry')
param parTelemetryOptOut bool = false
@ -319,7 +322,7 @@ module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cu
// Modules - Policy Assignments - Intermediate Root Management Group
// Module - Policy Assignment - Deploy-MDFC-Config
module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.intRoot)
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig
params: {
@ -349,7 +352,7 @@ module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/p
}
// Module - Policy Assignment - Deploy-AzActivity-Log
module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzActivityLog.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.intRoot)
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog
params: {
@ -373,7 +376,7 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment
}
// Module - Policy Assignment - Deploy-ASC-Monitoring
module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) {
// dependsOn: [
// modCustomPolicyDefinitions
// ]
@ -392,7 +395,7 @@ module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignment
}
// Module - Policy Assignment - Deploy-Resource-Diag
module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployResourceDiag.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.intRoot)
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag
params: {
@ -416,7 +419,7 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments
}
// Module - Policy Assignment - Deploy-VM-Monitoring
module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.intRoot)
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring
params: {
@ -440,7 +443,7 @@ module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments
}
// Module - Policy Assignment - Deploy-VMSS-Monitoring
module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.intRoot)
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring
params: {
@ -465,7 +468,7 @@ module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignmen
// Modules - Policy Assignments - Connectivity Management Group
// Module - Policy Assignment - Enable-DDoS-VNET
module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) {
module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) {
scope: managementGroup(varManagementGroupIds.platformConnectivity)
name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet
params: {
@ -490,7 +493,7 @@ module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policy
// Modules - Policy Assignments - Identity Management Group
// Module - Policy Assignment - Deny-Public-IP
module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIP.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.platformIdentity)
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp
params: {
@ -506,7 +509,7 @@ module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyA
}
// Module - Policy Assignment - Deny-RDP-From-Internet
module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyRDPFromInternet.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.platformIdentity)
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet
params: {
@ -522,7 +525,7 @@ module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/
}
// Module - Policy Assignment - Deny-Subnet-Without-Nsg
module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.platformIdentity)
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg
params: {
@ -538,7 +541,7 @@ module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments
}
// Module - Policy Assignment - Deploy-VM-Backup
module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.platformIdentity)
name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup
params: {
@ -566,7 +569,7 @@ module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/polic
// Modules - Policy Assignments - Management Management Group
// Module - Policy Assignment - Deploy-Log-Analytics
module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployLogAnalytics.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.platformManagement)
name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics
params: {
@ -606,7 +609,7 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po
// Modules - Policy Assignments - Landing Zones Management Group
// Module - Policy Assignment - Deny-IP-Forwarding
module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding
params: {
@ -622,7 +625,7 @@ module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/polic
}
// Module - Policy Assignment - Deny-RDP-From-Internet
module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyRDPFromInternet.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet
params: {
@ -638,7 +641,7 @@ module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/po
}
// Module - Policy Assignment - Deny-Subnet-Without-Nsg
module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg
params: {
@ -654,7 +657,7 @@ module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/p
}
// Module - Policy Assignment - Deploy-VM-Backup
module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup
params: {
@ -681,7 +684,7 @@ module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyA
}
// Module - Policy Assignment - Enable-DDoS-VNET
module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) {
module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet
params: {
@ -705,7 +708,7 @@ module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyA
}
// Module - Policy Assignment - Deny-Storage-http
module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp
params: {
@ -721,7 +724,7 @@ module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policy
}
// Module - Policy Assignment - Deploy-AKS-Policy
module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy
params: {
@ -740,7 +743,7 @@ module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policy
}
// Module - Policy Assignment - Deny-Priv-Escalation-AKS
module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks
params: {
@ -756,7 +759,7 @@ module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/
}
// Module - Policy Assignment - Deny-Priv-Containers-AKS
module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks
params: {
@ -772,7 +775,7 @@ module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/
}
// Module - Policy Assignment - Enforce-AKS-HTTPS
module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps
params: {
@ -788,7 +791,7 @@ module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policy
}
// Module - Policy Assignment - Enforce-TLS-SSL
module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceTLSSSL.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl
params: {
@ -804,7 +807,7 @@ module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAs
}
// Module - Policy Assignment - Deploy-SQL-DB-Auditing
module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing
params: {
@ -823,7 +826,7 @@ module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/po
}
// Module - Policy Assignment - Deploy-SQL-Threat
module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLThreat.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZones)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat
params: {
@ -843,7 +846,7 @@ module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policy
// Modules - Policy Assignments - Corp Management Group
// Module - Policy Assignment - Deny-Public-Endpoints
module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints
params: {
@ -859,7 +862,7 @@ module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/po
}
// Module - Policy Assignment - Deny-DataB-Pip
module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBPip.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBPip
params: {
@ -875,7 +878,7 @@ module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAss
}
// Module - Policy Assignment - Deny-DataB-Sku
module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBSku.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBSku
params: {
@ -891,7 +894,7 @@ module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAss
}
// Module - Policy Assignment - Deny-DataB-Vnet
module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBVnet.libDefinition.name)) {
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBVnet
params: {
@ -907,7 +910,7 @@ module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAs
}
// Module - Policy Assignment - Deploy-Private-DNS-Zones
module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) {
module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name))) {
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones
params: {

Просмотреть файл

@ -18,6 +18,7 @@ parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that
parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce.
parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.
parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry
### parTopLevelManagementGroupPrefix
@ -104,6 +105,12 @@ Name of the tag to use for excluding VMs from the scope of this policy. This sho
Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
### parExcludedPolicyAssignments
![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments
### parTelemetryOptOut
![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@ -160,6 +167,9 @@ Set Parameter to true to Opt-out of deployment telemetry
"parVmBackupExclusionTagValue": {
"value": []
},
"parExcludedPolicyAssignments": {
"value": []
},
"parTelemetryOptOut": {
"value": false
}

Просмотреть файл

@ -38,6 +38,9 @@
"parVmBackupExclusionTagValue" : {
"value": []
},
"parExcludedPolicyAssignments" : {
"value": []
},
"parTelemetryOptOut": {
"value": false
}