зеркало из https://github.com/Azure/ALZ-Bicep.git
New parameter for Alzdefaults exclusions (#494)
This commit is contained in:
Ståle Johnsen
GitHub
Родитель
b958a617e1
Коммит
b7f9dd9184
|
|
@ -65,6 +65,27 @@ The steps explained in the above section to extend the [ALZ Default Policy Assig
|
||||||
|
|
||||||
You will also need to ensure you create unique deployment names for each policy assignment as we do in the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) in the variable named `varModuleDeploymentNames` which is referenced for each policy assignment to its associated deployment name.
|
You will also need to ensure you create unique deployment names for each policy assignment as we do in the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) in the variable named `varModuleDeploymentNames` which is referenced for each policy assignment to its associated deployment name.
|
||||||
|
|
||||||
|
## What if I want to exclude specific policy assignments from ALZ Default Policy Assignments?
|
||||||
|
|
||||||
|
If specific ALZ default policies does not fit your organization you can exclude policies from the [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults) by following the process below:
|
||||||
|
|
||||||
|
1. Navigate to the Policy Assignments `lib` directory:
|
||||||
|
`infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments`
|
||||||
|
|
||||||
|
2. Open the `.json` file for the policy that you want to exclude and find/copy the `name` property.
|
||||||
|
Example `"name": "Deploy-VM-Monitoring"` in `policy_assignment_es_deploy_vm_monitoring.tmpl.json`
|
||||||
|
|
||||||
|
3. Add the `name` property to the parameter array `parExcludedPolicyAssignments` in [ALZ Default Policy Assignments module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults)
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```json
|
||||||
|
"parExcludedPolicyAssignments" : {
|
||||||
|
"value": [
|
||||||
|
"Deploy-VM-Monitoring"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Support
|
## Support
|
||||||
|
|
||||||
If you have any issues or require any assistance or advice please raise a [GitHub Issue](https://github.com/Azure/ALZ-Bicep/issues/new/choose) on the repo and we will work with you to assist where possible.
|
If you have any issues or require any assistance or advice please raise a [GitHub Issue](https://github.com/Azure/ALZ-Bicep/issues/new/choose) on the repo and we will work with you to assist where possible.
|
||||||
|
|
|
||||||
|
|
@ -40,6 +40,9 @@ param parVmBackupExclusionTagName string = ''
|
||||||
@sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.')
|
@sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.')
|
||||||
param parVmBackupExclusionTagValue array = []
|
param parVmBackupExclusionTagValue array = []
|
||||||
|
|
||||||
|
@sys.description('Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments')
|
||||||
|
param parExcludedPolicyAssignments array = []
|
||||||
|
|
||||||
@sys.description('Set Parameter to true to Opt-out of deployment telemetry')
|
@sys.description('Set Parameter to true to Opt-out of deployment telemetry')
|
||||||
param parTelemetryOptOut bool = false
|
param parTelemetryOptOut bool = false
|
||||||
|
|
||||||
|
|
@ -319,7 +322,7 @@ module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cu
|
||||||
|
|
||||||
// Modules - Policy Assignments - Intermediate Root Management Group
|
// Modules - Policy Assignments - Intermediate Root Management Group
|
||||||
// Module - Policy Assignment - Deploy-MDFC-Config
|
// Module - Policy Assignment - Deploy-MDFC-Config
|
||||||
module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.intRoot)
|
scope: managementGroup(varManagementGroupIds.intRoot)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig
|
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -349,7 +352,7 @@ module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/p
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-AzActivity-Log
|
// Module - Policy Assignment - Deploy-AzActivity-Log
|
||||||
module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzActivityLog.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.intRoot)
|
scope: managementGroup(varManagementGroupIds.intRoot)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog
|
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -373,7 +376,7 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-ASC-Monitoring
|
// Module - Policy Assignment - Deploy-ASC-Monitoring
|
||||||
module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) {
|
||||||
// dependsOn: [
|
// dependsOn: [
|
||||||
// modCustomPolicyDefinitions
|
// modCustomPolicyDefinitions
|
||||||
// ]
|
// ]
|
||||||
|
|
@ -392,7 +395,7 @@ module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignment
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-Resource-Diag
|
// Module - Policy Assignment - Deploy-Resource-Diag
|
||||||
module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployResourceDiag.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.intRoot)
|
scope: managementGroup(varManagementGroupIds.intRoot)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag
|
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -416,7 +419,7 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-VM-Monitoring
|
// Module - Policy Assignment - Deploy-VM-Monitoring
|
||||||
module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.intRoot)
|
scope: managementGroup(varManagementGroupIds.intRoot)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring
|
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -440,7 +443,7 @@ module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-VMSS-Monitoring
|
// Module - Policy Assignment - Deploy-VMSS-Monitoring
|
||||||
module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.intRoot)
|
scope: managementGroup(varManagementGroupIds.intRoot)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring
|
name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -465,7 +468,7 @@ module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignmen
|
||||||
|
|
||||||
// Modules - Policy Assignments - Connectivity Management Group
|
// Modules - Policy Assignments - Connectivity Management Group
|
||||||
// Module - Policy Assignment - Enable-DDoS-VNET
|
// Module - Policy Assignment - Enable-DDoS-VNET
|
||||||
module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) {
|
module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) {
|
||||||
scope: managementGroup(varManagementGroupIds.platformConnectivity)
|
scope: managementGroup(varManagementGroupIds.platformConnectivity)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet
|
name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -490,7 +493,7 @@ module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policy
|
||||||
|
|
||||||
// Modules - Policy Assignments - Identity Management Group
|
// Modules - Policy Assignments - Identity Management Group
|
||||||
// Module - Policy Assignment - Deny-Public-IP
|
// Module - Policy Assignment - Deny-Public-IP
|
||||||
module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIP.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp
|
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -506,7 +509,7 @@ module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyA
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-RDP-From-Internet
|
// Module - Policy Assignment - Deny-RDP-From-Internet
|
||||||
module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyRDPFromInternet.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet
|
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRdpFromInternet
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -522,7 +525,7 @@ module modPolicyAssignmentIdentDenyRdpFromInternet '../../../policy/assignments/
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-Subnet-Without-Nsg
|
// Module - Policy Assignment - Deny-Subnet-Without-Nsg
|
||||||
module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg
|
name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -538,7 +541,7 @@ module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-VM-Backup
|
// Module - Policy Assignment - Deploy-VM-Backup
|
||||||
module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
scope: managementGroup(varManagementGroupIds.platformIdentity)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup
|
name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -566,7 +569,7 @@ module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/polic
|
||||||
|
|
||||||
// Modules - Policy Assignments - Management Management Group
|
// Modules - Policy Assignments - Management Management Group
|
||||||
// Module - Policy Assignment - Deploy-Log-Analytics
|
// Module - Policy Assignment - Deploy-Log-Analytics
|
||||||
module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployLogAnalytics.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.platformManagement)
|
scope: managementGroup(varManagementGroupIds.platformManagement)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics
|
name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -606,7 +609,7 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po
|
||||||
|
|
||||||
// Modules - Policy Assignments - Landing Zones Management Group
|
// Modules - Policy Assignments - Landing Zones Management Group
|
||||||
// Module - Policy Assignment - Deny-IP-Forwarding
|
// Module - Policy Assignment - Deny-IP-Forwarding
|
||||||
module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -622,7 +625,7 @@ module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/polic
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-RDP-From-Internet
|
// Module - Policy Assignment - Deny-RDP-From-Internet
|
||||||
module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyRDPFromInternet.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyRdpFromInternet
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -638,7 +641,7 @@ module modPolicyAssignmentLzsDenyRdpFromInternet '../../../policy/assignments/po
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-Subnet-Without-Nsg
|
// Module - Policy Assignment - Deny-Subnet-Without-Nsg
|
||||||
module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -654,7 +657,7 @@ module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/p
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-VM-Backup
|
// Module - Policy Assignment - Deploy-VM-Backup
|
||||||
module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -681,7 +684,7 @@ module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyA
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Enable-DDoS-VNET
|
// Module - Policy Assignment - Enable-DDoS-VNET
|
||||||
module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) {
|
module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -705,7 +708,7 @@ module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyA
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-Storage-http
|
// Module - Policy Assignment - Deny-Storage-http
|
||||||
module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -721,7 +724,7 @@ module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policy
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-AKS-Policy
|
// Module - Policy Assignment - Deploy-AKS-Policy
|
||||||
module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -740,7 +743,7 @@ module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policy
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-Priv-Escalation-AKS
|
// Module - Policy Assignment - Deny-Priv-Escalation-AKS
|
||||||
module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -756,7 +759,7 @@ module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-Priv-Containers-AKS
|
// Module - Policy Assignment - Deny-Priv-Containers-AKS
|
||||||
module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -772,7 +775,7 @@ module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Enforce-AKS-HTTPS
|
// Module - Policy Assignment - Enforce-AKS-HTTPS
|
||||||
module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -788,7 +791,7 @@ module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policy
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Enforce-TLS-SSL
|
// Module - Policy Assignment - Enforce-TLS-SSL
|
||||||
module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceTLSSSL.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -804,7 +807,7 @@ module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAs
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-SQL-DB-Auditing
|
// Module - Policy Assignment - Deploy-SQL-DB-Auditing
|
||||||
module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlDbAuditing
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -823,7 +826,7 @@ module modPolicyAssignmentLzsDeploySqlDbAuditing '../../../policy/assignments/po
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-SQL-Threat
|
// Module - Policy Assignment - Deploy-SQL-Threat
|
||||||
module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLThreat.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZones)
|
scope: managementGroup(varManagementGroupIds.landingZones)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -843,7 +846,7 @@ module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policy
|
||||||
|
|
||||||
// Modules - Policy Assignments - Corp Management Group
|
// Modules - Policy Assignments - Corp Management Group
|
||||||
// Module - Policy Assignment - Deny-Public-Endpoints
|
// Module - Policy Assignment - Deny-Public-Endpoints
|
||||||
module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -859,7 +862,7 @@ module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/po
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-DataB-Pip
|
// Module - Policy Assignment - Deny-DataB-Pip
|
||||||
module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBPip.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBPip
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBPip
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -875,7 +878,7 @@ module modPolicyAssignmentLzsDenyDataBPip '../../../policy/assignments/policyAss
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-DataB-Sku
|
// Module - Policy Assignment - Deny-DataB-Sku
|
||||||
module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBSku.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBSku
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBSku
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -891,7 +894,7 @@ module modPolicyAssignmentLzsDenyDataBSku '../../../policy/assignments/policyAss
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deny-DataB-Vnet
|
// Module - Policy Assignment - Deny-DataB-Vnet
|
||||||
module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = {
|
module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if(!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyDataBVnet.libDefinition.name)) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBVnet
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyDataBVnet
|
||||||
params: {
|
params: {
|
||||||
|
|
@ -907,7 +910,7 @@ module modPolicyAssignmentLzsDenyDataBVnet '../../../policy/assignments/policyAs
|
||||||
}
|
}
|
||||||
|
|
||||||
// Module - Policy Assignment - Deploy-Private-DNS-Zones
|
// Module - Policy Assignment - Deploy-Private-DNS-Zones
|
||||||
module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) {
|
module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name))) {
|
||||||
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
scope: managementGroup(varManagementGroupIds.landingZonesCorp)
|
||||||
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones
|
name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones
|
||||||
params: {
|
params: {
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@ parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that
|
||||||
parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce.
|
parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce.
|
||||||
parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.
|
parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.
|
||||||
parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
|
parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
|
||||||
|
parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments
|
||||||
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry
|
parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry
|
||||||
|
|
||||||
### parTopLevelManagementGroupPrefix
|
### parTopLevelManagementGroupPrefix
|
||||||
|
|
@ -104,6 +105,12 @@ Name of the tag to use for excluding VMs from the scope of this policy. This sho
|
||||||
|
|
||||||
Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
|
Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.
|
||||||
|
|
||||||
|
### parExcludedPolicyAssignments
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPoliciesAssigningPolicies.md#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments
|
||||||
|
|
||||||
### parTelemetryOptOut
|
### parTelemetryOptOut
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -160,6 +167,9 @@ Set Parameter to true to Opt-out of deployment telemetry
|
||||||
"parVmBackupExclusionTagValue": {
|
"parVmBackupExclusionTagValue": {
|
||||||
"value": []
|
"value": []
|
||||||
},
|
},
|
||||||
|
"parExcludedPolicyAssignments": {
|
||||||
|
"value": []
|
||||||
|
},
|
||||||
"parTelemetryOptOut": {
|
"parTelemetryOptOut": {
|
||||||
"value": false
|
"value": false
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,9 @@
|
||||||
"parVmBackupExclusionTagValue" : {
|
"parVmBackupExclusionTagValue" : {
|
||||||
"value": []
|
"value": []
|
||||||
},
|
},
|
||||||
|
"parExcludedPolicyAssignments" : {
|
||||||
|
"value": []
|
||||||
|
},
|
||||||
"parTelemetryOptOut": {
|
"parTelemetryOptOut": {
|
||||||
"value": false
|
"value": false
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче