From b7f9dd9184f342f18b163a7989bc90ed6d0923c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A5le=20Johnsen?= <98233333+stalejohnsen@users.noreply.github.com> Date: Tue, 18 Apr 2023 11:13:51 +0200 Subject: [PATCH] New parameter for Alzdefaults exclusions (#494) --- docs/wiki/AssigningPolicies.md | 21 +++++++ .../alzDefaultPolicyAssignments.bicep | 63 ++++++++++--------- .../alzDefaultPolicyAssignments.bicep.md | 10 +++ ...faultPolicyAssignments.parameters.all.json | 3 + 4 files changed, 67 insertions(+), 30 deletions(-) diff --git a/docs/wiki/AssigningPolicies.md b/docs/wiki/AssigningPolicies.md index 8be70deb..40f61568 100644 --- a/docs/wiki/AssigningPolicies.md +++ b/docs/wiki/AssigningPolicies.md @@ -65,6 +65,27 @@ The steps explained in the above section to extend the [ALZ Default Policy Assig You will also need to ensure you create unique deployment names for each policy assignment as we do in the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) in the variable named `varModuleDeploymentNames` which is referenced for each policy assignment to its associated deployment name. +## What if I want to exclude specific policy assignments from ALZ Default Policy Assignments? + +If specific ALZ default policies does not fit your organization you can exclude policies from the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) by following the process below: + +1. Navigate to the Policy Assignments `lib` directory: +`infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments` + +2. Open the `.json` file for the policy that you want to exclude and find/copy the `name` property. +Example `"name": "Deploy-VM-Monitoring"` in `policy_assignment_es_deploy_vm_monitoring.tmpl.json` + +3. Add the `name` property to the parameter array `parExcludedPolicyAssignments` in [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) +Example: + +```json + "parExcludedPolicyAssignments" : { + "value": [ + "Deploy-VM-Monitoring" + ] + } +``` + ## Support If you have any issues or require any assistance or advice please raise a [GitHub Issue](https://github.com/Azure/ALZ-Bicep/issues/new/choose) on the repo and we will work with you to assist where possible. diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index db48078e..704a32f3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -40,6 +40,9 @@ param parVmBackupExclusionTagName string = '' @sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.') param parVmBackupExclusionTagValue array = [] +@sys.description('Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments') +param parExcludedPolicyAssignments array = [] + @sys.description('Set Parameter to true to Opt-out of deployment telemetry') param parTelemetryOptOut bool = false @@ -319,7 +322,7 @@ module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cu // Modules - Policy Assignments - Intermediate Root Management Group // Module - Policy Assignment - Deploy-MDFC-Config -module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig params: { @@ -349,7 +352,7 @@ module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/p } // Module - Policy Assignment - Deploy-AzActivity-Log -module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzActivityLog.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog params: { @@ -373,7 +376,7 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment } // Module - Policy Assignment - Deploy-ASC-Monitoring -module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) { // dependsOn: [ // modCustomPolicyDefinitions // ] @@ -392,7 +395,7 @@ module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignment } // Module - Policy Assignment - Deploy-Resource-Diag -module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployResourceDiag.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag params: { @@ -416,7 +419,7 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments } // Module - Policy Assignment - Deploy-VM-Monitoring -module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring params: { @@ -440,7 +443,7 @@ module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments } // Module - Policy Assignment - Deploy-VMSS-Monitoring -module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring params: { @@ -465,7 +468,7 @@ module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignmen // Modules - Policy Assignments - Connectivity Management Group // Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { +module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { scope: managementGroup(varManagementGroupIds.platformConnectivity) name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet params: { @@ -490,7 +493,7 @@ module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policy // Modules - Policy Assignments - Identity Management Group // Module - Policy Assignment - Deny-Public-IP -module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIP.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platformIdentity) name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp params: { @@ -506,7 +509,7 @@ module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyA } // Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyRDPFromInternet.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platformIdentity) name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet params: { @@ -522,7 +525,7 @@ module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/ } // Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platformIdentity) name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg params: { @@ -538,7 +541,7 @@ module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments } // Module - Policy Assignment - Deploy-VM-Backup -module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platformIdentity) name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup params: { @@ -566,7 +569,7 @@ module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/polic // Modules - Policy Assignments - Management Management Group // Module - Policy Assignment - Deploy-Log-Analytics -module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployLogAnalytics.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.platformManagement) name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics params: { @@ -606,7 +609,7 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po // Modules - Policy Assignments - Landing Zones Management Group // Module - Policy Assignment - Deny-IP-Forwarding -module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding params: { @@ -622,7 +625,7 @@ module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/polic } // Module - Policy Assignment - Deny-RDP-From-Internet -module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyRDPFromInternet.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet params: { @@ -638,7 +641,7 @@ module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/po } // Module - Policy Assignment - Deny-Subnet-Without-Nsg -module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg params: { @@ -654,7 +657,7 @@ module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/p } // Module - Policy Assignment - Deploy-VM-Backup -module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup params: { @@ -681,7 +684,7 @@ module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyA } // Module - Policy Assignment - Enable-DDoS-VNET -module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { +module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet params: { @@ -705,7 +708,7 @@ module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyA } // Module - Policy Assignment - Deny-Storage-http -module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp params: { @@ -721,7 +724,7 @@ module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policy } // Module - Policy Assignment - Deploy-AKS-Policy -module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy params: { @@ -740,7 +743,7 @@ module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policy } // Module - Policy Assignment - Deny-Priv-Escalation-AKS -module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks params: { @@ -756,7 +759,7 @@ module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/ } // Module - Policy Assignment - Deny-Priv-Containers-AKS -module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks params: { @@ -772,7 +775,7 @@ module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/ } // Module - Policy Assignment - Enforce-AKS-HTTPS -module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps params: { @@ -788,7 +791,7 @@ module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policy } // Module - Policy Assignment - Enforce-TLS-SSL -module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceTLSSSL.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl params: { @@ -804,7 +807,7 @@ module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAs } // Module - Policy Assignment - Deploy-SQL-DB-Auditing -module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing params: { @@ -823,7 +826,7 @@ module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/po } // Module - Policy Assignment - Deploy-SQL-Threat -module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLThreat.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZones) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat params: { @@ -843,7 +846,7 @@ module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policy // Modules - Policy Assignments - Corp Management Group // Module - Policy Assignment - Deny-Public-Endpoints -module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZonesCorp) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints params: { @@ -859,7 +862,7 @@ module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/po } // Module - Policy Assignment - Deny-DataB-Pip -module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBPip.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZonesCorp) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBPip params: { @@ -875,7 +878,7 @@ module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAss } // Module - Policy Assignment - Deny-DataB-Sku -module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBSku.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZonesCorp) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBSku params: { @@ -891,7 +894,7 @@ module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAss } // Module - Policy Assignment - Deny-DataB-Vnet -module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { +module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBVnet.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.landingZonesCorp) name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBVnet params: { @@ -907,7 +910,7 @@ module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAs } // Module - Policy Assignment - Deploy-Private-DNS-Zones -module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) { +module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name))) { scope: managementGroup(varManagementGroupIds.landingZonesCorp) name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones params: { diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 5d69fe49..b3be5104 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -18,6 +18,7 @@ parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. +parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry ### parTopLevelManagementGroupPrefix @@ -104,6 +105,12 @@ Name of the tag to use for excluding VMs from the scope of this policy. This sho Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. +### parExcludedPolicyAssignments + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments + ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -160,6 +167,9 @@ Set Parameter to true to Opt-out of deployment telemetry "parVmBackupExclusionTagValue": { "value": [] }, + "parExcludedPolicyAssignments": { + "value": [] + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 1e113600..aa70644e 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -38,6 +38,9 @@ "parVmBackupExclusionTagValue" : { "value": [] }, + "parExcludedPolicyAssignments" : { + "value": [] + }, "parTelemetryOptOut": { "value": false }