Azure
/
Enterprise-Scale
зеркало из https://github.com/Azure/Enterprise-Scale.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Adventure Works RI Update (Jan 2021) (#405) 

* policy update

* AventureWorks refresh
This commit is contained in:
Kristian Nese 2021-01-25 22:04:30 +01:00 коммит произвёл GitHub
Родитель 81d1f271f9
Коммит 10d6bbbf8f
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
8 изменённых файлов: 715 добавлений и 88 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

58
docs/reference/adventureworks/armTemplates/auxiliary/corp-peering-copy.json Normal file
Просмотреть файл

@ -0,0 +1,58 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string"
},
"corpConnectedLzSubscriptionId": {
"type": "array",
"defaultvalue": []
},
"connectivitySubscriptionId": {
"type": "string"
},
"location": {
"type": "string"
}
},
"variables": {
"deploymentUri": "[uri(deployment().properties.templateLink.uri, '../auxiliary/corp-policy-peering.json')]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), concat('peeringcopy', copyIndex()), 'na')]",
"location": "[parameters('location')]",
"copy": {
"name": "lzCorpConnectedCopy",
"count": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), length(parameters('corpConnectedLzSubscriptionId')), 1)]"
},
"subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUri')]"
},
"parameters": {
"connectivitySubscriptionId": {
"value": "[parameters('connectivitySubscriptionId')]"
},
"topLevelManagementGroupPrefix": {
"value": "[parameters('topLevelManagementGroupPrefix')]"
},
"location": {
"value": "[parameters('location')]"
},
"addresses": {
"value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]"
}
}
}
}
],
"outputs": {
}
}

106
docs/reference/adventureworks/armTemplates/auxiliary/corp-policy-peering.json Normal file
Просмотреть файл

@ -0,0 +1,106 @@
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"connectivitySubscriptionId": {
"type": "string"
},
"location": {
"type": "string"
},
"addresses": {
"type": "string"
},
"topLevelManagementGroupPrefix": {
"type": "string"
}
},
"variables": {
"hubResourceId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', parameters('topLevelManagementGroupPrefix'), '-connectivity', '/providers/Microsoft.Network/virtualNetworks/', parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]",
"rbacNameForLz": "[guid(subscription().id)]",
// "rbacNameForNConnectivity": "[guid(concat(parameters('addresses'), deployment().name))]",
"vNetPolicyAssignment": "VNet-to-corp",
// "connectivityManagementGroup": "[concat(parameters('topLevelManagementGroupPrefix'), '-connectivity')]",
"vNetpolicyDefinition": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke')]"
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-06-01",
"name": "[variables('vNetPolicyAssignment')]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "Connect-Vnet-to-hub",
"displayName": "Connect-Vnet-to-hub",
"policyDefinitionId": "[variables('vNetPolicyDefinition')]",
"parameters": {
"vNetName": {
"value": "[concat('corp-vnet-', subscription().subscriptionId)]"
},
"vNetRgName": {
"value": "[concat('corp-rg-vnet-', subscription().subscriptionId)]"
},
"vNetLocation": {
"value": "[parameters('location')]"
},
"vNetCidrRange": {
"value": "[parameters('addresses')]"
},
"hubResourceId": {
"value": "[variables('hubResourceId')]"
}
},
"scope": "[subscription().id]"
}
},
{
// Role assignment for the policy assignment to do on-behalf-of deployments
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[variables('rbacNameForLz')]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/policyAssignments', variables('vNetPolicyAssignment'))]"
],
"properties": {
"principalType": "ServicePrincipal",
"principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments/', variables('vNetPolicyAssignment')), '2019-06-01', 'Full').identity.principalId]",
"roleDefinitionId": "[reference(variables('vNetPolicyDefinition'), '2019-06-01').policyRule.then.details.roleDefinitionIds[0]]"
}
},
/*
{
// Role assignment on the connectivity hub to do on-behalf-of peering of the virtual network
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"scope": "[concat('Microsoft.Management/managementGroups/', variables('connectivityManagementGroup'))]",
"name": "[variables('rbacNameForNConnectivity')]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/policyAssignments', variables('vNetPolicyAssignment'))]",
"[resourceId('Microsoft.Authorization/roleAssignments', variables('rbacNameForLz'))]"
],
"properties": {
"principalType": "ServicePrincipal",
"principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('vNetPolicyAssignment')), '2019-06-01', 'Full').identity.principalId]",
"roleDefinitionId": "[reference(variables('vNetPolicyDefinition'), '2019-06-01').policyRule.then.details.roleDefinitionIds[0]]"
}
},*/
{
// Invoke the template deployment from the policyDefinition using parameters from the policyAssignment
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-08-01",
"name": "[concat('connect', variables('vNetPolicyAssignment'), parameters('connectivitySubscriptionId'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments', variables('rbacNameForLz'))]"
],
"properties": {
"mode": "Incremental",
"template": "[reference(variables('vNetPolicyDefinition'), '2018-05-01').policyRule.then.details.deployment.properties.template]",
"parameters": "[reference(resourceId('Microsoft.Authorization/policyAssignments/', variables('vNetPolicyAssignment')), '2018-05-01').parameters]"
}
}
]
}

110
docs/reference/adventureworks/armTemplates/auxiliary/diagnosticsAndSecurity.json
Просмотреть файл

@ -146,6 +146,10 @@
"type": "array",
"defaultValue": []
},
"corpConnectedLzSubscriptionId": {
"type": "array",
"defaultValue": []
},
"identitySubscriptionId": {
"type": "string",
"defaultValue": ""
@ -188,22 +192,28 @@
"deployResourceRiagnostics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').resourceDiagnostics))]"
},
"blankTemplateEscaped": "{\"$schema\":\"https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{},\"variables\":{},\"resources\":[],\"outputs\":{}}",
"lzAscResourceDeploymentName": "[take(concat('asc-lz', deployment().location, deployment().name), 40)]",
"lzActivityResourceDeploymentName": "[take(concat('activity-lz', deployment().location, deployment().name), 40)]",
"mgAscResourceDeploymentName": "[take(concat('asc-mgmt', deployment().location, deployment().name), 40)]",
"mgActivityResourceDeploymentName": "[take(concat('activity-mgmt', deployment().location, deployment().name), 40)]",
"idAscResourceDeploymentName": "[take(concat('asc-identity', deployment().location, deployment().name), 40)]",
"idActivityResourceDeploymentName": "[take(concat('activity-identity', deployment().location, deployment().name), 40)]",
"connAscResourceDeploymentName": "[take(concat('asc-conn', deployment().location, deployment().name), 40)]",
"connActivityResourceDeploymentName": "[take(concat('activity-conn', deployment().location, deployment().name), 40)]",
"noOnlineLzActivityDeployment": "naOnlineActivity",
"noOnlineLzAscDeployment": "naOnlineAsc",
"noCorpLzActivityDeployment": "naCorpActivity",
"noCorpLzAscDeployment": "naCorpAsc",
"noIdActivityDeployment": "noIdActivity",
"noIdAscDeployment": "noIdAsc",
"noConnActivityDeployment": "noConnActivity",
"noConnAscDeployment": "noConnAscDeployment"
"onlineAscDeploymentName": "[take(concat('asc-online', deployment().location, deployment().name), 40)]",
"onlineActivityDeploymentName": "[take(concat('activity-online', deployment().location, deployment().name), 40)]",
"corpAscDeploymentName": "[take(concat('asc-corp', deployment().location, deployment().name), 40)]",
"corpActivityDeploymentName": "[take(concat('activity-corp', deployment().location, deployment().name), 40)]",
"mgmtAscResourceName": "[take(concat('asc-mgmt', deployment().location, deployment().name), 40)]",
"mgmtActivityDeploymentName": "[take(concat('activity-mgmt', deployment().location, deployment().name), 40)]",
"identityAscDeploymentName": "[take(concat('asc-identity', deployment().location, deployment().name), 40)]",
"identityActivityDeploymentName": "[take(concat('activity-identity', deployment().location, deployment().name), 40)]",
"connectivityAscDeploymentName": "[take(concat('asc-conn', deployment().location, deployment().name), 40)]",
"connectivityActivityDeploymentName": "[take(concat('activity-conn', deployment().location, deployment().name), 40)]",
"corpConnectedAscDeploymentName": "[take(concat('asc-corp-conn', deployment().location, deployment().name), 40)]",
"corpConnectedActivityDeploymentName": "[take(concat('activity-corp-conn', deployment().location, deployment().name), 40)]",
"noCorpConnectedAscDeployment": "naCorpConnectedAsc",
"noCorpConnectedActivityDeployment": "naCorpConnectedActivity",
"noOnlineActivityDeployment": "naOnlineActivity",
"noOnlineAscDeployment": "naOnlineAsc",
"noCorpActivityDeployment": "naCorpActivity",
"noCorpAscDeployment": "naCorpAsc",
"noIdentityActivityDeployment": "noIdActivity",
"noIdentityAscDeployment": "noIdAsc",
"noConnectivityActivityDeployment": "noConnActivity",
"noConnectivityAscDeployment": "noConnAscDeployment"
},
"resources": [
{
@ -514,7 +524,7 @@
"condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('mgActivityResourceDeploymentName')]",
"name": "[variables('mgmtActivityDeploymentName')]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]"
@ -531,7 +541,7 @@
"condition": "[and(not(empty(parameters('identitySubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('identitySubscriptionId'))), variables('idActivityResourceDeploymentName'), variables('noIdActivityDeployment'))]",
"name": "[if(not(empty(parameters('identitySubscriptionId'))), variables('identityActivityDeploymentName'), variables('noIdentityActivityDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]"
@ -548,7 +558,7 @@
"condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('connectivitySubscriptionId'))), variables('connActivityResourceDeploymentName'), variables('noConnActivityDeployment'))]",
"name": "[if(not(empty(parameters('connectivitySubscriptionId'))), variables('connectivityActivityDeploymentName'), variables('noConnectivityActivityDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]"
@ -565,7 +575,7 @@
"condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableAsc'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[variables('mgAscResourceDeploymentName')]",
"name": "[variables('mgmtAscResourceName')]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]"
@ -582,7 +592,7 @@
"condition": "[and(not(empty(parameters('identitySubscriptionId'))), equals(parameters('enableAsc'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('identitySubscriptionId'))), variables('idAscResourceDeploymentName'), variables('noIdAscDeployment'))]",
"name": "[if(not(empty(parameters('identitySubscriptionId'))), variables('identityAscDeploymentName'), variables('noIdentityAscDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]"
@ -599,7 +609,7 @@
"condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableAsc'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('connectivitySubscriptionId'))), variables('connAscResourceDeploymentName'), variables('noConnAscDeployment'))]",
"name": "[if(not(empty(parameters('connectivitySubscriptionId'))), variables('connectivityAscDeploymentName'), variables('noConnectivityAscDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]"
@ -616,7 +626,7 @@
"condition": "[and(not(empty(parameters('onlineLzSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('onlineLzSubscriptionId'))), concat(variables('lzActivityResourceDeploymentName'), copyIndex()), variables('noOnlineLzActivityDeployment'))]",
"name": "[if(not(empty(parameters('onlineLzSubscriptionId'))), concat(variables('onlineActivityDeploymentName'), copyIndex()), variables('noOnlineActivityDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]"
@ -633,11 +643,11 @@
}
},
{
// Conditional ARM deployments to invoke template from ActivityLog diagnostics on corp subscription(s)
// Conditional ARM deployments to invoke template from ActivityLog diagnostics on corp (not connected) subscription(s)
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('corpLzSubscriptionId'))), concat(variables('lzActivityResourceDeploymentName'), copyIndex()), variables('noCorpLzActivityDeployment'))]",
"name": "[if(not(empty(parameters('corpLzSubscriptionId'))), concat(variables('corpActivityDeploymentName'), copyIndex()), variables('noCorpActivityDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]"
@ -653,12 +663,33 @@
"parameters": "[if(and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2018-05-01').parameters, json('null'))]"
}
},
{
// Conditional ARM deployments to invoke template from ActivityLog diagnostics on corp connected subscription(s)
"condition": "[and(not(empty(parameters('corpConnectedLzSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), concat(variables('corpConnectedActivityDeploymentName'), copyIndex()), variables('noCorpConnectedActivityDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]"
],
"copy": {
"name": "lzCorpActivityCopy",
"count": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), length(parameters('corpConnectedLzSubscriptionId')), 1)]"
},
"subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
"properties": {
"mode": "incremental",
"template": "[if(and(not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), reference(variables('policyDefinitions').deployAzureActivityLog, '2018-05-01').policyRule.then.details.deployment.properties.template, variables('blankTemplateEscaped'))]",
"parameters": "[if(and(not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2018-05-01').parameters, json('null'))]"
}
},
{
// Conditional ARM deployments to invoke template from ASC on online subscription(s)
"condition": "[and(not(empty(parameters('onlineLzSubscriptionId'))), equals(parameters('enableAsc'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('onlineLzSubscriptionId'))), concat(variables('lzAscResourceDeploymentName'), copyIndex()), variables('noOnlineLzAscDeployment'))]",
"name": "[if(not(empty(parameters('onlineLzSubscriptionId'))), concat(variables('onlineAscDeploymentName'), copyIndex()), variables('noOnlineAscDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]"
@ -675,11 +706,11 @@
}
},
{
// Conditional ARM deployments to invoke template from ASC on corp subscription(s)
// Conditional ARM deployments to invoke template from ASC on corp (not connected) subscription(s)
"condition": "[and(not(empty(parameters('corpLzSubscriptionId'))), equals(parameters('enableAsc'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('corpLzSubscriptionId'))), concat(variables('lzAscResourceDeploymentName'), copyIndex()), variables('noCorpLzAscDeployment'))]",
"name": "[if(not(empty(parameters('corpLzSubscriptionId'))), concat(variables('corpAscDeploymentName'), copyIndex()), variables('noCorpAscDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]"
@ -694,7 +725,28 @@
"template": "[if(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableAsc'), 'Yes')), reference(variables('policyDefinitions').deployAzureSecurity, '2018-05-01').policyRule.then.details.deployment.properties.template, 'na')]",
"parameters": "[if(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableAsc'), 'Yes')), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2018-05-01').parameters, json('null'))]"
}
}
},
{
// Conditional ARM deployments to invoke template from ASC on corp connected subscription(s)
"condition": "[and(not(empty(parameters('corpConnectedLzSubscriptionId'))), equals(parameters('enableAsc'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), concat(variables('corpConnectedAscDeploymentName'), copyIndex()), variables('noCorpAscDeployment'))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]"
],
"copy": {
"name": "lzCorpAscCopy",
"count": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), length(parameters('corpConnectedLzSubscriptionId')), 1)]"
},
"subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]",
"properties": {
"mode": "incremental",
"template": "[if(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableAsc'), 'Yes')), reference(variables('policyDefinitions').deployAzureSecurity, '2018-05-01').policyRule.then.details.deployment.properties.template, 'na')]",
"parameters": "[if(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableAsc'), 'Yes')), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2018-05-01').parameters, json('null'))]"
}
}
],
"outputs": {}
}

95
docs/reference/adventureworks/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -6263,7 +6263,7 @@
"existenceScope": "ResourceGroup",
"resourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",
@ -10000,6 +10000,95 @@
},
"name": "Deny-Subnet-Without-Nsg"
},
{
"properties": {
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
},
"name": "Deny-Subnet-Without-Udr"
},
{
"Properties": {
"Description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
"DisplayName": "Deny vNet peering cross subscription.",
"Mode": "Indexed",
"metadata": {
"version": "1.0.0.0",
"category": "Network"
},
"Parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"PolicyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notcontains": "[[subscription().id]"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
},
"name": "Deny-VNET-Peer-Cross-Sub"
},
{
"properties": {
"Description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled",
@ -14401,7 +14490,7 @@
"name": "[[parameters('vwanname')]",
"resourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",
@ -14579,7 +14668,7 @@
"existenceScope": "ResourceGroup",
"ResourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",

70
docs/reference/adventureworks/armTemplates/es-hubspoke.json
Просмотреть файл

@ -79,6 +79,13 @@
"description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones."
}
},
"corpConnectedLzSubscriptionId": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub."
}
},
"enableLogAnalytics": {
"type": "string",
"defaultValue": "No",
@ -442,12 +449,14 @@
"connectivity": "[uri(deployment().properties.templateLink.uri, 'auxiliary/hubspoke-connectivity.json')]",
"diagnosticsAndSecurity": "[uri(deployment().properties.templateLink.uri, 'auxiliary/diagnosticsAndSecurity.json')]",
"landingZone": "[uri(deployment().properties.templateLink.uri, 'auxiliary/lz.json')]",
"identity": "[uri(deployment().properties.templateLink.uri, 'auxiliary/identity.json')]"
"identity": "[uri(deployment().properties.templateLink.uri, 'auxiliary/identity.json')]",
"corpConnectedLzs": "[uri(deployment().properties.templateLink.uri, 'auxiliary/corp-peering-copy.json')]"
},
"moveSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-management', '/', parameters('managementSubscriptionId'))]",
"noSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-management', '/', 'na')]",
"noOnlineLzSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-online', '/', 'nalz')]",
"noCorpLzSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-corp', '/', 'nalz')]",
"noCorpConnectedLzSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-corp', '/', 'naconnect')]",
"connectivityMoveSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity', '/', parameters('connectivitySubscriptionId'))]",
"noConnectivitySubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity', '/', 'naconn')]",
"identityMoveSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-identity', '/', parameters('identitySubscriptionId'))]",
@ -458,9 +467,10 @@
"monitoringDeploymentName": "[take(concat('EntScale-Monitoring', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"monitoringSolutionsDeploymentName": "[take(concat('EntScale-Solutions', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"diagAndSecDeploymentName": "[take(concat('EntScale-DiagSec', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"connectivityDeploymentName": "[take(concat('EntScale-conn', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"connectivityDeploymentName": "[take(concat('EntScale-Networking', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"lzDeploymentName": "[take(concat('EntScale-LZ', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"identityDeploymentName": "[take(concat('EntScale-ID', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]"
"identityDeploymentName": "[take(concat('EntScale-Identity', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]",
"corpConnectedDeploymentName": "[take(concat('EntScale-lz-connectivity', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]"
}
},
"resources": [
@ -573,11 +583,25 @@
"[variables('deploymentNames').mgmtGroupDeploymentName]"
],
"copy": {
"name": "onlineLzMove",
"name": "corpLzMove",
"count": "[length(parameters('corpLzSubscriptionId'))]"
},
"properties": {}
},
},
{
"condition": "[not(empty(parameters('corpConnectedLzSubscriptionId')))]",
"type": "Microsoft.Management/managementGroups/subscriptions",
"apiVersion": "2020-05-01",
"name": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), concat(parameters('enterpriseScaleCompanyPrefix'), '-corp', '/', parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs), variables('noCorpConnectedLzSubscription'))]",
"dependsOn": [
"[variables('deploymentNames').mgmtGroupDeploymentName]"
],
"copy": {
"name": "connectedCorpLzMove",
"count": "[length(parameters('corpConnectedLzSubscriptionId'))]"
},
"properties": {}
},
{
"condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
@ -820,6 +844,9 @@
"corpLzSubscriptionId": {
"value": "[parameters('corpLzSubscriptionId')]"
},
"corpConnectedLzSubscriptionId": {
"value": "[parameters('corpConnectedLzSubscriptionId')]"
},
"identitySubscriptionId": {
"value": "[parameters('identitySubscriptionId')]"
},
@ -901,6 +928,39 @@
}
}
}
},
{
"condition": "[and(not(empty(parameters('corpConnectedLzSubscriptionId'))),equals(parameters('enableHub'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-05-01",
"scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'), '-corp')]",
"name": "[variables('deploymentNames').corpConnectedDeploymentName]",
"dependsOn": [
"[variables('deploymentNames').connectivityDeploymentName]",
"[variables('deploymentNames').diagAndSecDeploymentName]"
],
"location": "[deployment().location]",
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').corpConnectedLzs]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"corpConnectedLzSubscriptionId": {
"value": "[parameters('corpConnectedLzSubscriptionId')]"
},
"connectivitySubscriptionId": {
"value": "[parameters('connectivitySubscriptionId')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
}
],
"outputs": {

174
docs/reference/adventureworks/armTemplates/portal-es-hubspoke.json
Просмотреть файл

@ -67,7 +67,7 @@
"options": {
"icon": "Info",
"text": "To enable platform management, security and governance, you must allocate a management Subscription. Please note, this Subscription will be moved to the platform Management Group, and ARM will deploy a Log Analytics workspace and requisite settings. We recommend using a new Subscription with no existing resources. Note that Azure Policy will be used to govern the configuration for the platform at scale.",
"uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/Readme.md"
"uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring"
}
},
{
@ -551,13 +551,13 @@
"options": {
"icon": "Info",
"text": "To enable Hub & Spoke connectivity, you must allocate a connectivity Subscription. Please note, this Subscription will be moved to the connectivity Management Group, and ARM will deploy the first networking hub and requisite settings. We recommend using a new Subscription with no existing resources.",
"uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/Readme.md"
"uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity#traditional-azure-networking-topology"
}
},
{
"name": "esHub",
"type": "Microsoft.Common.OptionsGroup",
"label": "Deploy virtual hub",
"label": "Deploy virtual hub network",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy virtual network for hub",
"constraints": {
@ -601,7 +601,7 @@
{
"name": "esAddressHub",
"type": "Microsoft.Common.TextBox",
"label": "Address space (required for virtual network hub)",
"label": "Address space (required for hub virtual hub)",
"toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/16)",
"defaultValue": "10.100.0.0/16",
"visible": "[equals(steps('esConnectivityGoalState').esHub, 'Yes')]",
@ -751,7 +751,7 @@
"options": {
"icon": "Info",
"text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.",
"uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/Readme.md"
"uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management"
}
},
{
@ -908,18 +908,137 @@
"options": {
"icon": "Info",
"text": "You can optionally provide subscriptions for your first landing zones for both 'online' and 'corp' and assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.",
"uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/ES-schema.md"
"uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance"
}
},
{
"name": "corpText",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Select the subscriptions you want to move to corp management group.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization"
}
}
},
{
"name": "esLzConnectivity",
"type": "Microsoft.Common.OptionsGroup",
"label": "Connect corp landing zones to the connectivity hub (optional)?",
"defaultValue": "[if(equals(steps('esConnectivityGoalState').esHub, 'Yes'), 'Yes (recommended)', 'No')]",
"toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "Yes"
},
{
"label": "No",
"value": "No"
}
]
},
"visible": "[equals(steps('esConnectivityGoalState').esHub, 'Yes')]"
},
{
"name": "lzCorpSubsApi",
"type": "Microsoft.Solutions.ArmApiControl",
"request": {
"method": "GET",
"path": "subscriptions?api-version=2020-01-01"
}
},
{
"name": "esCorpLzSub",
"type": "Microsoft.Common.DropDown",
"label": "Corp landing zone subscriptions (optional)",
"toolTip": "",
"multiselect": true,
"selectAll": true,
"filter": true,
"filterPlaceholder": "Filter items ...",
"multiLine": true,
"visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'No'), equals(steps('lzGoalState').esLzConnectivity, 'No'))]",
"constraints": {
"allowedValues": "[map(steps('lzGoalState').lzCorpSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]",
"required": false
}
},
{
"name": "lzConnectedSubs",
"type": "Microsoft.Common.EditableGrid",
"ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering",
"label": "Corp connected landing zone subscriptions (optional)",
"visible": "[equals(steps('lzGoalState').esLzConnectivity, 'Yes')]",
"constraints": {
"width": "Full",
"rows": {
"count": {
"min": 1,
"max": 10
}
},
"columns": [
{
"id": "subs",
"header": "Subscription",
"width": "1fr",
"element": {
"name": "esLzConnectedSub",
"type": "Microsoft.Common.DropDown",
"label": "Landing zone subscription",
"toolTip": "",
"multiselect": false,
"selectAll": false,
"filter": true,
"filterPlaceholder": "Filter items ...",
"multiLine": false,
"constraints": {
"allowedValues": "[map(steps('lzGoalState').lzSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]",
"required": false
}
}
},
{
"id": "addresses",
"header": "Virtual Network Address space",
"width": "1fr",
"element": {
"type": "Microsoft.Common.TextBox",
"placeholder": "Ensure there are no overlapping IP addresses!",
"constraints": {
"required": true,
"validations": [
{
"message": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long."
}
]
}
}
}
]
}
},
{
"name": "lzSubsApi",
"type": "Microsoft.Solutions.ArmApiControl",
"request": {
"method": "GET",
"path": "subscriptions?api-version=2020-01-01"
}
},
{
"name": "onlineText",
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('esGoalState').esLogAnalytics, 'Yes')]",
"visible": true,
"options": {
"text": "Select the subscriptions you want to move to online management group.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions"
"uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization"
}
}
},
@ -947,42 +1066,6 @@
"required": false
}
},
{
"name": "corpText",
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('esGoalState').esLogAnalytics, 'Yes')]",
"options": {
"text": "Select the subscriptions you want to move to corp management group.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions"
}
}
},
{
"name": "lzCorpSubsApi",
"type": "Microsoft.Solutions.ArmApiControl",
"request": {
"method": "GET",
"path": "subscriptions?api-version=2020-01-01"
}
},
{
"name": "esCorpLzSub",
"type": "Microsoft.Common.DropDown",
"label": "Corp landing zone subscriptions (optional)",
"toolTip": "",
"multiselect": true,
"selectAll": true,
"filter": true,
"filterPlaceholder": "Filter items ...",
"multiLine": true,
"visible": true,
"constraints": {
"allowedValues": "[map(steps('lzGoalState').lzCorpSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]",
"required": false
}
},
{
"name": "azMonText",
"type": "Microsoft.Common.TextBlock",
@ -1332,7 +1415,8 @@
"retentionInDays": "[string(steps('esGoalState').esLogRetention)]",
"enableVmMonitoring": "[steps('lzGoalState').esVmMonitoring]",
"enableVmssMonitoring": "[steps('lzGoalState').esVmssMonitoring]",
"enableArcMonitoring": "[steps('lzGoalState').esArcVmMonitoring]"
"enableArcMonitoring": "[steps('lzGoalState').esArcVmMonitoring]",
"corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub, steps('esGoalState').esMgmtSub)), not(contains(steps('lzGoalState').esCorpLzSub, steps('esConnectivityGoalState').esConnectivitySub))), steps('lzGoalState').lzConnectedSubs, '')]"
}
}
}

95
docs/reference/contoso/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -6263,7 +6263,7 @@
"existenceScope": "ResourceGroup",
"resourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",
@ -10000,6 +10000,95 @@
},
"name": "Deny-Subnet-Without-Nsg"
},
{
"properties": {
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
},
"name": "Deny-Subnet-Without-Udr"
},
{
"Properties": {
"Description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
"DisplayName": "Deny vNet peering cross subscription.",
"Mode": "Indexed",
"metadata": {
"version": "1.0.0.0",
"category": "Network"
},
"Parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"PolicyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notcontains": "[[subscription().id]"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
},
"name": "Deny-VNET-Peer-Cross-Sub"
},
{
"properties": {
"Description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled",
@ -14401,7 +14490,7 @@
"name": "[[parameters('vwanname')]",
"resourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",
@ -14579,7 +14668,7 @@
"existenceScope": "ResourceGroup",
"ResourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",

95
docs/reference/wingtip/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -6263,7 +6263,7 @@
"existenceScope": "ResourceGroup",
"resourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",
@ -10000,6 +10000,95 @@
},
"name": "Deny-Subnet-Without-Nsg"
},
{
"properties": {
"displayName": "Subnets should have a User Defined Route",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation of a subsnet with out a User Defined Route.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "false"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
},
"name": "Deny-Subnet-Without-Udr"
},
{
"Properties": {
"Description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
"DisplayName": "Deny vNet peering cross subscription.",
"Mode": "Indexed",
"metadata": {
"version": "1.0.0.0",
"category": "Network"
},
"Parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"PolicyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notcontains": "[[subscription().id]"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
},
"name": "Deny-VNET-Peer-Cross-Sub"
},
{
"properties": {
"Description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled",
@ -14401,7 +14490,7 @@
"name": "[[parameters('vwanname')]",
"resourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",
@ -14579,7 +14668,7 @@
"existenceScope": "ResourceGroup",
"ResourceGroupName": "[[parameters('rgName')]",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"location": "northeurope",